tags:

views:

94

answers:

2
Q: 

Basic principles for securing a web-app?

Possible Duplicate:
PHP Session Security

I've just finished coding the basics of a web-app (the main code) and I've integrated a basic user system. This is my first web-app so I'm wondering what are the things that I should use to secure it? I already know about thing like mysql_real_escape_string() and strip_tags() but what else? How would I securely store usernames and passwords through cookies and sessions? Any tips, tutorials, etc. are greatly appreciated!

+2  A: 

OWASP has some very helpful guides to the most common vulnerabilities and good recommendations as to how to mitigate them. You should familiarize yourself with the attacks and vulnerabilities they cover.

Reading through these might take time, but there's not too much and it's not particularly dense reading. Maybe you should focus on their top 10 security risks first.

Mike Atlas  2010-08-09 01:00:21
One thing I'm confused about is that I've read in many places (including the link ggg provided) not to store username and passwords in cookies. How then, do you store them so that the user does not have to log in every time. Or should I just not store them as plain text in cookies (md5 encode them?)
WillyG  2010-08-09 01:37:04
Use a session ID instead. The session ID is in the cookie, and on your server, you associate the username and other session variables with the ID. Be aware that there are security risks with session IDs as well, so be sure to read up on that too (e.g., session fixation).
Mike Atlas  2010-08-09 01:39:53
But wouldn't the connection between session and the data be lost once the user closes their browser?
WillyG  2010-08-09 02:10:45
Not if the session ID is kept in a cookie :)
Mike Atlas  2010-08-09 13:51:13
+1  A: 

CWE/SANS Top 25 Most Dangerous Software Errors helped me a lot.

real_escape_string only combats MySql injection. Also when a user must input a number, for example, reading newsid=n from a URL like index.php?newsid=3, make sure $_GET['newsid'] is an integer by adding (int) before $_GET['newsid'].

some really basic things ;) hope the link helps.

Swift-R  2010-08-09 01:05:27

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL