|
|
Posted by Justin Koivisto on 11/03/05 17:09
rjames.clarke@gmail.com wrote:
> I am developing an online application and the last thing I need to get
> a handle on is security.
> This app is very heavy with forms. Business critical data will be
> entered via forms and inserted in to a database (mysql).
>
> I've google "php security" and from what I've read, I should:
>
> 1) Filter all form data by stripping all non-alpha/numeric characters
> out,
>
> 2) Have the database on a different server,
>
> 3) Use "POST" not "GET",
>
> 4) Turn global variables off.
>
> 5) Use sessions for logins
>
> Should this do it? Or do I need more precautions?
> Even with all this can I still get hacked?
You should be filtering all input from external sources: user input,
from databases, etc.
You should escape all output before sending it: echo or print
statements, sql queries, etc.
You should be practicing defense in depth which means you have redundant
safegards in place just in case something gets through.
I'd suggest reading "Essential PHP Security" by Chris Shiflett (O'Reilly
ISBN 0-596-00656-X) as well as reading articles on his blog
(shiflett.org) and probably read through the articles on the PHP
Security consortium website (phpsec.org)
If you're application is already written, you have a large job ahead of
you. My suggestion is to do some reading as outlined above and start the
application from scratch. It's really the best way - and in many cases
the least time-consuming way as well.
--
Justin Koivisto, ZCE - justin@koivi.com
http://koivi.com
Navigation:
[Reply to this message]
|