0

This is a bit of an opinion question, but overall, what safety precautions would be ideal for a PHP-based website using a MySQL database? This site would include registration and login, and need to protect users' personal information.

Ceya
  • 13
  • 3

5 Answers5

1

You have to know main things:

  • Users are stupid like monkeys. They click anything anytime.
  • HTTPS
  • Good programing skills
  • HASH + salt
  • PHP bugs
  • All possible ways of hacking website over PHP and MySQL. Fight fire with fire.
Ernestas Stankevičius
  • 2,484
  • 1
  • 20
  • 29
1

This is a very huge question, and there are dozens of books written solely to answer this question, but here are some important things:

1- Never EVER trust user input data ($_GET and $_POST). Always sanitize everything before printing/saving to the database.

2- Avoid concatenating parameters directly on the SQL. Always use $db->bindParam() or some other similar function.

3- Never store plain text passwords. Use a hashing algorithm always. And to be safe, use a Salt as well.

4- Always expect the worst scenario to happen. Because it will.

5- Read something about XSS, CSRF. And make sure you guard your app against those.

6- Get experienced =)

Vitor M
  • 864
  • 6
  • 12
  • I made it huge for a reason... I was hoping this could give noobs like me a general resource on where to start throwing punches :D – Ceya Sep 25 '11 at 21:56
0

Golden rule of secure web development: Filter Input, Escape Output

Here is a nice article that sums it up actually: http://shiflett.org/blog/2005/feb/more-on-filtering-input-and-escaping-output

Tadej Magajna
  • 2,198
  • 1
  • 21
  • 39
0

The main problems are:

SQL injection XSS when outputting data

Here are some links:

How does the SQL injection from the "Bobby Tables" XKCD comic work?
How to prevent SQL injection with dynamic tablenames?
htmlentities() vs. htmlspecialchars()
Salting my hashes with PHP and MySQL
How should I ethically approach user password storage for later plaintext retrieval?

Read them I hope you will follow the advice in the many answers.

Community
  • 1
  • 1
Johan
  • 71,222
  • 23
  • 174
  • 298
  • Nice list of links. I read a good answer on SO a few days ago concerning the proper way to hash passwords, but I can't seem to find it now. Guess I should have fav'd it. – Herbert Sep 25 '11 at 22:02
0

A lot of answers came in while I was typing this. I guess they type faster. :-p

All are great answers and I don't know how you'll choose the best one, but most are about the same.

  1. NEVER STORE PASSWORDS IN PLAIN TEXT. Use SHA-2 algorithms with a salt. Store the hash and the salt.

  2. Never trust user input. Sanitize everything that goes into the database before you store it AND anytime you use it.

  3. Use prepared statements. Look into PDO.

  4. Use HTTPS when possible.

These are just a few things to bare in mind. Most important of all Study you @ss off. :-)

Herbert
  • 5,302
  • 2
  • 20
  • 34