Can a beginner build a relatively secure web app written in PHP?
Is it worth trying?
I just completed a beginner college course in PHP, and I am very passionate about making my little school project into a product that people could use. But I am not sure how I can actually make it hacker-proof (okay, maybe just 85% secure).
Like, for example, do I need to use parameterized queries EVERY time I connect to my database OR ONLY when there is user input???
Basically, this app is like a small CMS. Is it possible to make it secure for a total beginner? And how long do you think it might take? And if you’d recommend to keep it as a prototype, how do I show it as a portfolio piece to potential employers online and still keep it secure?
Just from my experience, i would say: if you can’t answer this veryvery basic question by yourself, you are missing a lot of attack vectors to cover. And my answer to the question if you can build a more or less secure web applicaction is: NO.
But don’t stop: security is a main aspect and a running process in software development, and there’s a lot to learn, and nobody came to birth with the perfect security system, have a look at other projects, like the symfony php framework, it has a dedicated security section. Also look at The Open Web Application Security Project (OWASP).
There is a lot more to a website that PHP or another serverside language. And I mean besides HTML, CSS, and JavaScript.
One that it’s good to understand is transfer protocols, HTTP, HTTPS, FTP, FTPS, TCP, UDP, etc.
Another is understanding the filesystem both in terms of organization and especially permission settings.
Database security is more than using parameterized user input. Users with limited roles (eg. Read only not full CRUD) is a good idea. (unfortunately this requires having GRANT which is something I haven’t seen on shared hosting)
If that seems overwhelming, it’s because it can be. That is not do say you shouldn’t build a website. Start with simple pages that don’t require any user supplied input other than a Get Request and hold off on the more risky stuff until you are aware of the possible risks. Take it a step at a time and you’ll eventually get there.