|
|
Posted by Dikkie Dik on 02/25/06 15:44
Peter Fox wrote:
> . . .
> *You* need to be the one dealing with the security. *You* need to
> _understand_ the threats before you can deal with them. There are
> plenty of on-line resources on PHP/MySQL and security to deal with the
> protection /mechanisms/ ...
> ...but only you can understand the /context/ in order to build a
> security model. Only you can list the bad things that could happen in
> order to deal with them in depth.
>
Well, yes. You are right. The problem with security is, however, that
there is bound to be a hacker that understands more than you do.
So let me add one thing to the above (as you should take a really good
interest in security):
Know What You Are Doing.
I don't mean as a programmer. You, as a programmer, don't do unexpected
things, like giving passwords away or sending unwanted emails. Your
application does. So I am really saying this to your application: Know
What You Are Doing.
As a programmer, I want to know when things go wrong. Things that go
wrong are usually my fault or at least my responsibility, so I want to
know. Therefore I log errors.
For one of my last applications (which was thrown over the wall after
being set up without any documentation), I had so many things to deal
with that I enhanced my database class to just log all SQL commands,
along with the site input. Not only the bad commands. I found this a
great help, even when there were no more SQL errors. It showed all
errors in input as well. So I knew what my application had done. If your
site traffic is not too high, I can only suggest that you run a
"general" log also. You can empty it once in a while if it gets too big,
and when some security issue presents itself, you can search the logs
and see how it was done.
Off course, this can be expanded to not only database issues, but e-mail
traffic and other applications as well. This is where your notion of
context must come in.
So learn about security, from books, colleagues, web sites, AND your own
applications. If something goes wrong, just find out and learn from the
hackers themselves.
Good luck!
Navigation:
[Reply to this message]
|