I was recently trying to learn PHP and MySql in-fact I was so happy that I knew how to pull and write data but I’m now a little scared since two of my websites were recently hacked. I was reading about security and they all talk about hackers looking for poor written code specially PHP and MySql databases so, I kind of stopped my learning since I don’t think I will ever get to the level where I can be programming thinking about security vulnerabilities, so I’m wondering if I should continue learning or I should really consider the security issues this will bring if I use my code. I’m planning in using PHP and MySql to create small databases where I will be reading and writing data.
Can simple databases be an issue?
Can you guy please give me your opinion? Is really PHP a good target for Hackers?
I think it’s even harder than that. Not only is PHP common, but it has always been a first rate language because it’s so easy to learn… and that means there’s an AWFUL lot of PHP code on the internet written by beginners.
With respect, any hacker is a security expert just because that’s what they spend time doing, making and breaking security as opposed to developers who have to learn a hundred other topics as well. Do you need to think defensively? Absolutely. But it is radically naive to think that even a modestly gifted hacker couldn’t hack the website of virtually every developer on this site. If you’re not a trained security expert, you are not going to be able to keep out a determined hacker. So does that mean we should all give up web development? That’s pretty harsh, and I don’t believe it’s at all true.
Everyone goes through a learning curve. Learn from your mistakes and your experiences. It’s not important to create an unhackable site, just don’t attempt a website that’s out of your reach. Your first website should not be a custom e-commerce site that handles credit card info or sensitive personal information. If you want to work on that, then you do need to become a security expert. But you don’t have to be a security specialist to write websites. You just should be careful that you don’t build anything that you can’t provide the appropriate level of protection for. You can get by with no authentication and a database whose only security is a backup if all you’re doing to running an app which catalogs your CD collection.
There’s a new edition out, but for 90% of what you want to do, that should be fine. Follow Yank’s insights and use PDO for accessing your database (because of it’s built in security), and you’ll be ahead of most of the PHP websites out there.
Any software that can be connected to a network risks being cracked open, the biggest network there is is called the web.
PHP is the most common backend scripting language, so of course it is the biggest target.
You have to think defensively when writing anything which is connected to the web otherwise you have no business being on it.
Try this series of articles for beginners, they should wise you up pretty quickly. Then dive back in again, post your code here if youd like someone to glance over it if you are still unsure, but don’t give up.
Did you ever read “Build your own database driven websites using PHP and MySQL” by Kevin Yank?
I own this book but I stopped reading it since its old and may not be updated.
once you are in to the basics, you could read “PHP Anthology” which is much better book, which also explained using PHP PDO.
The thing is that I may not have enough projects to practice on, as I said I was trying to learn it to interact with databases but just basic interactions like read and write.
Don’t give up so quickly. Carry on your learning, and explore each issue/problem you face. For example, your website was hacked which I believe was a MySQL injection done by the hacker. There are plenty of ways to avoid MySQL injection, such as using PHP’s PDO etc.
Did you ever read “Build your own database driven websites using PHP and MySQL” by Kevin Yank? I think it would be a good start to read that book, once you are in to the basics, you could read “PHP Anthology” which is much better book, which also explained using PHP PDO.
There are many things hackers can do to break in. Majority of the attacks are successful because of use of unfiltered user input. Here are a few things I follow in my coding to make my sites secure.
ALWAYS filter and restrict user input. For example if its a person’s name there is no need for numbers or + or - etc.
Make your setup unconventional. I have created my own setup which is based on MVC with majority of files outside web accessible folder which enhances security significantly.
Filter url’s. Check the url before routing them.
Log your traffic and stay on top of what is happening on your site by checking the logs on a regular basis.
Backup your site every month so if something crazy happens you don’t have to start over.
@Chroniclemaster1 - yes, in hindsight I suppose my comment was overly caustic and you make good points about the level of security knowledge needed for each type of application.
The sad fact is that newcomers cannot easily judge what is the right level of security they should be studying. Trying to study it all is very time consuming, but it really helps if you are slightly paranoid to start off with, IMO.
Full marks to the OP for holding his/her hands up and asking for help though.
I think once you’ve grasped the basics of XSS and sql injection attacks and how to protect yourself you will have read lots of what might seem to be occasionally conflicting information over many websites and it helps a lot to keep coming back to a cornerstone principle: the acronym FIEO - Filter Input Escape Output.
It might help if you made a new post with a few examples and asked what your security problems are, there are usually a few things you can do to fix 99% of your problems. You don’t need to put aside PHP to learn security, but learn a little security and a little PHP at the same time.
One thing you should consider is using PDO for your database connections, it might seem really confusing at first though! And you create Prepared Statements, and it escapes your strings for you. This might take a while to get the hang of, it’s not required but some time in the future you’ll want to do it.
If you just do a little PHP a day you’ll have a few years pass, and you won’t regret practicing it!!!
You just try on… php/mysql is easy to learn… to have a good work exp , it is enough with 2 years. It was in my case… But possibilities are almost unlimited… Only limit is time
Then it is pretty easy to learn other scripting languages, because they all are similar in basic:D
For each PHP task that you want to do, study about it in books or on the net. Pay closer attention to articles that mention the security aspects of that task than ones that just say “here’s a way to do this…”. Do whatever research is necessary to determine what’s the proper secure way to do that task. Then write your code using that method. When you need to do a similar thing later, you’ll be able to copy and reuse your original code, knowing that you studied how to do it right the first time.
Then go through that process for your next task. No need to hurry. The learning is the important thing at first, not getting an end result as fast as you can.
