tags:

views:

53

answers:

2
+2  Q: 

PHP What information need to be store/maintained to ensure website quality and keep it safe?

Hi all,

MY PLATFORM: PHP & mySQL

MY SITUATION:

I am building an app. where users can sign up for an account for the services that I provide. I want to restrict a user from signing up for multiple accounts and users from all over the world can create an account of their own. That being said:

  1. What can I do to prevent multiple accounts and ensure that I can track a user in case they resort to some mischief concerning the security of my website?

  2. What details do I need to log about the user for administration purposes? IP? Browser info? What else? (Bonus: If you can list out why, that would be helpful too)

  3. How many past logins of the user should be recorded and maintained? How would so many (your recommended number of past logins) help?

  4. Please list out what you think should not be missed at any cost and others that can be helpful.

Thank you in advance.

+4  A: 

Well, first off:

IP Address are not unique ways of identifying a user, as multiple computers can be located on a single IP address, as seen in work enviorments, schools, and other institutional access points.

Furthermore

There is no absolute way to be sure about someone's identity. You can simply go off what the person tells you. You can limit accounts 1 account per email address, but there are easy ways to work around that. Same with about any other method you try.

So, we can conclude that:

There really isn't a way to ensure that a user only makes 1 account. You really shouldn't bother attempting to implement a system that does, as there will always be ways to work around the blocker you have installed.

The only real thing you can do is ensure 1 account per email address, and that is a stretch as gmail allows me to use all of these email addresses:

[email protected]
[email protected]
// I can put anything after the '+' sign. Gmail ignores it.

[email protected]
[email protected]
// Gmail doesn't care about dots in email addresses, they all go to me.

As you can see, I can make a LOT of email addresses that are all unique, but they all go directly to my email inbox.

And that isn't counting my personal email @chacha102.com. With a catch-all email, I can put anything infront of @chacha102.com and it will go directly to me. I could even make a script to create a random hash and append the @chacha102.com to it. I would have almost an infinite amount of email addresses.

So, my advice? Worry about something else.

To answer the rest of your questions:

You should probably keep an administrative log of important events. Such as StackOverflow has a log of all the rep I earn, when I got a badge, and most likely when I logged in. Find the 'checkpoints' in your site and log them.

You should probably keep these logs for 30 days or longer if required by law, or forever if required by your system. (StackOverflow probably has ALL my reputation ups and downs as it ensures that a rep recalc can go from the beginning on).

You should probably check out this StackOverflow question:
http://stackoverflow.com/questions/72394/what-should-a-developer-know-before-building-a-public-web-site

Chacha102  2010-01-25 18:32:30
not to mention that `[email protected]` will also, I'm fairly certain, end up at the same place.
David Thomas  2010-01-25 18:37:17
@Chacha102 Thank you for the solution and the references.
Devner  2010-01-25 21:46:40
+1  A: 

First and foremost, there is no way your website can be 100% safe.

(evil piano music)

As long as you know that, we can move on.

What can I do to prevent multiple accounts and ensure that I can track a user in case they resort to some mischief concerning the security of my website?

There really is no definitive way to prevent multiple accounts, users can get around that. It would be difficult to track if a user is performing acts of mischief, you are better off focusing on validating and escaping user's input to avoid any harmful activities.

What details do I need to log about the user for administration purposes? IP? Browser info? What else? (Bonus: If you can list out why, that would be helpful too)

I cannot tell what you would get out of logging the user's IP address, but in a website like StackOverflow, it is used to inform the user who's been on their account, which is something useful to display to the user. Browser information is not necessarily needed for administrative purposes.

Please list out what you think should not be missed at any cost and others that can be helpful

I am no security-guru, but all I can emphasize is focus on escaping and validating input, especially when working with databases you do not want your website to have any injections. Look into using parameterized queries.

Good luck.

Anthony Forloney  2010-01-25 18:47:21
I don't think he was talking about failed attempts. Simply just the past times the have logged in.
Chacha102  2010-01-25 18:49:03
oh, ok will edit that, good eye. I took out that section because I do not know of a reason to login past login's and did not want to come across all high-and-mighty.
Anthony Forloney  2010-01-25 18:49:30
Yeah, same here. There really isn't a reason. For logging, there should just be a regular access text file log that keeps track of events. Thats bout it.
Chacha102  2010-01-25 18:58:54

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL