|
|
Posted by Michael Vilain on 11/03/05 21:22
In article <TfWdnU5SqJ6ytffeRVn-tQ@onvoy.com>,
Justin Koivisto <justin@koivi.com> wrote:
> rjames.clarke@gmail.com wrote:
> > I am developing an online application and the last thing I need to get
> > a handle on is security.
> > This app is very heavy with forms. Business critical data will be
> > entered via forms and inserted in to a database (mysql).
> >
> > I've google "php security" and from what I've read, I should:
> >
> > 1) Filter all form data by stripping all non-alpha/numeric characters
> > out,
> >
> > 2) Have the database on a different server,
> >
> > 3) Use "POST" not "GET",
> >
> > 4) Turn global variables off.
> >
> > 5) Use sessions for logins
> >
> > Should this do it? Or do I need more precautions?
> > Even with all this can I still get hacked?
>
> You should be filtering all input from external sources: user input,
> from databases, etc.
>
> You should escape all output before sending it: echo or print
> statements, sql queries, etc.
>
> You should be practicing defense in depth which means you have redundant
> safegards in place just in case something gets through.
>
> I'd suggest reading "Essential PHP Security" by Chris Shiflett (O'Reilly
> ISBN 0-596-00656-X) as well as reading articles on his blog
> (shiflett.org) and probably read through the articles on the PHP
> Security consortium website (phpsec.org)
>
> If you're application is already written, you have a large job ahead of
> you. My suggestion is to do some reading as outlined above and start the
> application from scratch. It's really the best way - and in many cases
> the least time-consuming way as well.
Great. He wrote a book. I was going to recommend Chris's web site:
http://shiflett.org/articles
There are articles on each of the items the OP mentioned and full
discussions. If this is a sample of his writing and breadth of
knowledge, I think I'll toddle down to B&N and get his book...
--
DeeDee, don't press that button! DeeDee! NO! Dee...
Navigation:
[Reply to this message]
|