|
|
Posted by Malcolm Dew-Jones on 11/03/05 19:01
rjames.clarke@gmail.com wrote:
: I am developing an online application and the last thing I need to get
: a handle on is security.
: This app is very heavy with forms. Business critical data will be
: entered via forms and inserted in to a database (mysql).
: I've google "php security" and from what I've read, I should:
: 1) Filter all form data by stripping all non-alpha/numeric characters
: out,
Not exactly. You should "validate" every input. That means confirm it
has the data you expect it to have.
You should also make sure the data is correctly "escaped" before being
used. The correct way to do that depends on the situation. Before you
use any input in an SQL query then that database's string escape routine
should be used. Before using the data in an html page then a mysql html
escape function should be used. I mentioned SQL - if possible use bind
variables so the data is not used directly in the query at all (then you
don't have to escape it - the database software does it all for you).
: 2) Have the database on a different server,
It also means that the database is accessible via the network, which may
itself be a security risk itself if you're that concerned about security.
But probably a good idea.
: 3) Use "POST" not "GET",
Things like passwords should be POSTed, so yes.
: 4) Turn global variables off.
Yes.
: 5) Use sessions for logins
Sure.
And what about 6) HTTPS ?
: Should this do it? Or do I need more precautions?
: Even with all this can I still get hacked?
Doing the above is a good idea, but only careful coding and review of all
the things involved in the application can prevent being hacked.
--
This programmer available for rent.
Navigation:
[Reply to this message]
|