Reputation: 13
What are the most important things to do to make a safe PHP/MySQL website?
This is a bit of an opinion question, but overall, what safety precautions would be ideal for a PHP-based website using a MySQL database? This site would include registration and login, and need to protect users' personal information.
Upvotes: 0
Views: 377
Answers (5)
Reputation: 5778
A lot of answers came in while I was typing this. I guess they type faster. :-p
All are great answers and I don't know how you'll choose the best one, but most are about the same.
NEVER STORE PASSWORDS IN PLAIN TEXT. Use SHA-2 algorithms with a salt. Store the hash and the salt.
Never trust user input. Sanitize everything that goes into the database before you store it AND anytime you use it.
Use prepared statements. Look into PDO.
Use HTTPS when possible.
These are just a few things to bare in mind. Most important of all Study you @ss off. :-)
Upvotes: 0
Reputation: 967
This is a very huge question, and there are dozens of books written solely to answer this question, but here are some important things:
1- Never EVER trust user input data ($_GET and $_POST). Always sanitize everything before printing/saving to the database.
2- Avoid concatenating parameters directly on the SQL. Always use $db->bindParam() or some other similar function.
3- Never store plain text passwords. Use a hashing algorithm always. And to be safe, use a Salt as well.
4- Always expect the worst scenario to happen. Because it will.
5- Read something about XSS, CSRF. And make sure you guard your app against those.
6- Get experienced =)
Upvotes: 1
Reputation: 76640
The main problems are:
SQL injection XSS when outputting data
Here are some links:
How does the SQL injection from the "Bobby Tables" XKCD comic work?
How to prevent SQL injection with dynamic tablenames?
htmlentities() vs. htmlspecialchars()
Salting my hashes with PHP and MySQL
How should I ethically approach user password storage for later plaintext retrieval?
Read them I hope you will follow the advice in the many answers.
Upvotes: 0
Reputation: 2963
Golden rule of secure web development: Filter Input, Escape Output
Here is a nice article that sums it up actually: http://shiflett.org/blog/2005/feb/more-on-filtering-input-and-escaping-output
Upvotes: 0
Reputation: 2493
You have to know main things:
- Users are stupid like monkeys. They click anything anytime.
- HTTPS
- Good programing skills
- HASH + salt
- PHP bugs
- All possible ways of hacking website over PHP and MySQL. Fight fire with fire.
Upvotes: 1
Related Questions
- Security measures - when and how
- Best methods and ways of protecting website
- how to securely use LIKE
- Most recent way to secure a website/database
- Things to take into account when making a website?
- How to enhance security of a website?
- What should I be aware of to make my web application secure?
- What steps can be taken to ensure the security of a PHP application?
- PHP What information need to be store/maintained to ensure website quality and keep it safe?
- PHP/MySQL security--where to begin?