|
|
Posted by <pete on 11/03/05 16:14
rjames.clarke@gmail.com wrote:
> I am developing an online application and the last thing I need to get
> a handle on is security.
Not that I'm an expert, but you have this backwards. Security should be
the FIRST, not last, thing you thing about.
Your application's security is already doomed to be on the defensive: it's
**much** harder to plug holes than it is to bulid walls. The only way to
correct this is to re-write the whole thing from scratch.
This is a truism: it's true of any language, not just PHP.
> This app is very heavy with forms. Business critical data will be
> entered via forms and inserted in to a database (mysql).
>
> I've google "php security" and from what I've read, I should:
>
> 1) Filter all form data by stripping all non-alpha/numeric characters
> out,
>
> 2) Have the database on a different server,
>
> 3) Use "POST" not "GET",
>
> 4) Turn global variables off.
>
> 5) Use sessions for logins
>
> Should this do it? Or do I need more precautions?
Oh, god yes.
You need to validate any user input that's destined to the DB for starters.
That alone, when done well, should make your timecard shake in its shoes.
How solid is your application against changes in the database? Do you check
the return of every query? There's *hundreds* of precautions you can take.
Any web scripting language is convenient (although some are more convenient
than others). But they give you a LOT of rope to hang yourself with.
> Even with all this can I still get hacked?
Bob, no offense, but it sounds like you really need to learn a lot more about
PHP *and* security in general if you want to write applications that claim to
be secure. No question is a bad question, but some questions signal that the
asker needs to go back to the books.
Yes. Absolutely, you can get hacked. Even if you do everything correct, and
it sounds like you already have an insecure application on your hands, you
can get hacked.
Hackers can be *very* smart folk.
Navigation:
[Reply to this message]
|