auday1982 — 2011-09-11T15:28:57-04:00 — #1
I am not a pro, but I will be. I was a beginner and will always be!
Security worries me... I can not trust my code!!!
How can I create a good website if I fear my own code will be a trouble maker?
Do you have any suggestion? please do not suggest a ready to use CMS or blog!!!
scallioxtx — 2011-09-11T17:59:00-04:00 — #2
The trick to security in PHP is FIEO, Filter Input, Escape Output.
It is your job to filter this output, and make sure you don't accept any illogical or otherwise invalid value, strip tags, etc, etc.
And do not ever write anything to any data source (like a database) you haven't checked at all.
Escape Output: Here you assume that everything you did in the "Filter input" step didn't work (although hopefully it did!) and you have to prevent from propagating your problem on to the users. For example, you don't want that XSS attack to someone entered into a textfield to actually work, so you run the contents through htmlentities() which makes sure tags don't render as tags but will be output as plain text on the screen rendering the XSS attack useless.
As you can see the main trick is to be creative and think about everything that can go wrong, assume it will, and then prevent it
silversurfer5150 — 2011-09-11T17:14:41-04:00 — #3
Yes security is often a worry and I also am not a pro but I'm getting better the more code I write.
With regards to php , security can often be weakened by a lack of regard for sensitive information stored client-side ( by the user's browser ) using the $SESSION and $COOKIE superglobals.
For example, if you tell the script to save the user's password using setcookie() remember that cookies are still available for someone else to access from the browser after the user has closed it down (depending on the duration set). I prefer to use $_SESSION which ensures that any such information is destroyed when the browsing session ends.
Also be aware of things like SQL inject - this is a method by which someone can ectend your existing SQL statements by typing certain code into eg. the password field on a page, allowing them to access someone else's account. Anyway I will let you read up on these things, hmm that's all I can think of for now, gd luck