views:

94

answers:

2

Possible Duplicate:
PHP Session Security

I've just finished coding the basics of a web-app (the main code) and I've integrated a basic user system. This is my first web-app so I'm wondering what are the things that I should use to secure it? I already know about thing like mysql_real_escape_string() and strip_tags() but what else? How would I securely store usernames and passwords through cookies and sessions? Any tips, tutorials, etc. are greatly appreciated!

+2  A: 

OWASP has some very helpful guides to the most common vulnerabilities and good recommendations as to how to mitigate them. You should familiarize yourself with the attacks and vulnerabilities they cover.

Reading through these might take time, but there's not too much and it's not particularly dense reading. Maybe you should focus on their top 10 security risks first.

Mike Atlas
One thing I'm confused about is that I've read in many places (including the link ggg provided) not to store username and passwords in cookies. How then, do you store them so that the user does not have to log in every time. Or should I just not store them as plain text in cookies (md5 encode them?)
WillyG
Use a session ID instead. The session ID is in the cookie, and on your server, you associate the username and other session variables with the ID. Be aware that there are security risks with session IDs as well, so be sure to read up on that too (e.g., session fixation).
Mike Atlas
But wouldn't the connection between session and the data be lost once the user closes their browser?
WillyG
Not if the session ID is kept in a cookie :)
Mike Atlas
+1  A: 

CWE/SANS Top 25 Most Dangerous Software Errors helped me a lot.

real_escape_string only combats MySql injection. Also when a user must input a number, for example, reading newsid=n from a URL like index.php?newsid=3, make sure $_GET['newsid'] is an integer by adding (int) before $_GET['newsid'].

some really basic things ;) hope the link helps.

Swift-R