tags:

views:

61

answers:

2
Q: 

Security and thoughts about my first php application?

Hey im working on my first php site, and was hoping to get some thoughts from you guys.

1- I'm using a txt file database, cuz its a simple set of scripts. I know that's not recommended, but i wanted to work with it some, before getting into mysql. Thoughts on this in general? Pros, cons? Vulnerable?

2- Related to the previous question ... security. So far i have some basic form input cleaner functions like: trim, strip_tags, preg_replace, htmlentities. Sound adequate? Overkill? Thoughts? Are there any ways to safely test the security of a script, before sending it out into the webs?

Im learning here, so any info is greatly appreciated. Thanks !

PS- there is no registration for users. Just some submission forms and a display of those submitted entries.

+2  A: 

(1) A text file database is very difficult to get working right. You will have multiple requests stomping over each other trying to edit your file concurrently. You'd be better of just getting into SQL right away.

(2) Make sure to use parameterized queries to prevent SQL injection, and to properly encode strings before injecting them into HTML, URLs, or other similar places. As for testing, disable or bypass any and all client checks, and try to insert long strings with weird characters as inputs into your forms.

Igor ostrovsky  2009-09-18 00:23:10
I'd agree with going straight to SQL. I think it would be easier to learn sql than to use a text file database.Here's a great resource I used to learn the basics:http://devzone.zend.com/node/view/id/641
justinl  2009-09-18 00:30:02
thx for the info everybody, hey igor care to expand (just a bit - so i can research them further) on these things?: "properly encode strings before injecting them into HTML, URLs, or other similar places" and "disable or bypass any and all client checks". Thanks again!
realcheesypizza  2009-09-18 02:59:02
You need to be careful any time you do something with a block of text that came from a user. E.g., if you are going to display a user comment on your page, you don't want to allow the user to insert arbitrary HTML into the comment and do stuff to your page.You need to pass user strings through a function like htmlspecialchars to ensure that any dangerous characters are encoded, and thus removed of their special meaning.And, you need to make sure to have proper checks on the server side (i.e. in PHP), even if you have some nicer error messages on the client (javascript and html).
Igor ostrovsky  2009-09-18 09:38:46
A: 

I highly recommend the SAMS Teach Yourself PHP, MySQL and Apache book - its a great intro to all the relevant skills and comes with all the software on a disc (except resource hacker, necessary to make mysql work...). Surely if you use a text file it's there on your root folder and can be found by an industrious hacker?

 2009-09-18 00:47:16

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL