If anyone can suggest secuirty techniques for php coding? how to make your php code more secure ?
Thanks
+2
A:
Never trusting the user, and each project having clearly defined data flows where input from the user is sanitized as soon as possible (preferably before any chance of output)
Always using some form of PDO. (In other words never ever using raw SQL). Mistakes have a habit of creeping in when trying to quickly fix bugs.
Never using variables in includes. It may seem like an easy solution, but it is usually a messy one that allows the user to request files they shouldn't.
Salt all passwords with a unique salt and then hash them, md5() is not an ideal function for this as it has weaknesses.
Yacoby
2009-11-27 16:51:28
A:
Follow these key points:
- All data coming from a client can be modified and input should be sanitized/checked before you do anything with it (insert into database, etc)
- Any security related algorithms should be implemented server side, this ensures that the algorithm is executed the way you want it to every time (as apposed to modifiable JavaScript)
- Password hashing or any other form of encryption or hashing should be done within your script and not through other client/server requests (IE: create password hashes before sending them to mysql DONT do 'INSERT INTO users VALUES('1','jblow',md5('password'))', as this query is viewable in logs and by administrators of the SQL server
- Last but not least, DONT BE LAZY if it takes a bit longer to sanitize input, do it, all it takes is one exploit and your application no matter how amazing it is will loose a lot of its user base.
Zyris Development Team
2009-11-27 17:08:53