SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Member
    Join Date
    Sep 2011
    0 Post(s)
    0 Thread(s)

    Security is my obstical... please help


    I am not a pro, but I will be. I was a beginner and will always be!

    Security worries me... I can not trust my code!!!

    How can I create a good website if I fear my own code will be a trouble maker?

    Do you have any suggestion? please do not suggest a ready to use CMS or blog!!!


  2. #2
    SitePoint Evangelist silversurfer5150's Avatar
    Join Date
    Aug 2010
    0 Post(s)
    0 Thread(s)
    Hi there,
    Yes security is often a worry and I also am not a pro but I'm getting better the more code I write.
    With regards to php , security can often be weakened by a lack of regard for sensitive information stored client-side ( by the user's browser ) using the $_SESSION and $_COOKIE superglobals.

    For example, if you tell the script to save the user's password using setcookie() remember that cookies are still available for someone else to access from the browser after the user has closed it down (depending on the duration set). I prefer to use $_SESSION which ensures that any such information is destroyed when the browsing session ends.

    Also be aware of things like SQL inject - this is a method by which someone can ectend your existing SQL statements by typing certain code into eg. the password field on a page, allowing them to access someone else's account. Anyway I will let you read up on these things, hmm that's all I can think of for now, gd luck
    "Persistence is the path to perfection"

  3. #3
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    The Netherlands
    153 Post(s)
    2 Thread(s)
    The trick to security in PHP is FIEO, Filter Input, Escape Output.

    Filter input: Assume users lie. Always. About everything. If they need to fill in an email address, assume they will try "fhdjfhsdkjfsf". They have to give their age, assume they'll enter 200, or -10. Give them a text box, assume they'll riddle it with all kinds of javascript and XSS crap.
    It is your job to filter this output, and make sure you don't accept any illogical or otherwise invalid value, strip tags, etc, etc.
    And do not ever write anything to any data source (like a database) you haven't checked at all.

    Escape Output: Here you assume that everything you did in the "Filter input" step didn't work (although hopefully it did!) and you have to prevent from propagating your problem on to the users. For example, you don't want that XSS attack to someone entered into a textfield to actually work, so you run the contents through htmlentities() which makes sure tags don't render as tags but will be output as plain text on the screen rendering the XSS attack useless.

    As you can see the main trick is to be creative and think about everything that can go wrong, assume it will, and then prevent it
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts