Have some questions about web development (PHP and MySQL).

Question

I've done a bit of web programming (using PHP and MySQL), but nothing too large in scale. I've been thinking about how someone would create a social networking type of site and I've ran into some problems.

• How would you safely and securely store passwords in MySQL? What kinds of encryption would you use?
• If users were allowed to upload pictures, would it be better to store them in the database or have them uploaded directly to the server?
• What open source web applications (such as WordPress) would you recommend I read and study (preferably something simple but well written)?

Anything taught in class or written in books just don't seem to translate well into real production code. They just seem like very basic examples.

Thanks!

Answer 1

Regarding password storage: use one-way salted hashing for security. Here's an article on why.

Answer 2

For password storage, I suggest using MD5 with a salt. MD5 is impossible to decrypt, but its possible to crack using rainbow tables. For example: Here is a MD5 lookup site I've coded

I would personally upload them directly to the server, however, you need to make sure only valid image files can be uploaded. Don't want someone uploading a rootshell.

Answer 3

1. Store a salted hash. I would personally move away from md5 and using something like sha instead. sha1 + salt will hold out for a while =]

2. If you store the images as blobs in the db, you'll probably have an easier time in the future backing them up (along w/the db, fetching them, etc). But really, they'll be damn fast on the file system too, but I'd prefer them in the database as I have lots of code that interfaces w/the db and I'm comfortable working in that area. That's up to you.

3. I'm not sure that wordpress will help you to build a social networking site...but its still good to read other's code. I'd take a look at some books on amazon on architecture just to get your mind thinking large scale. Also, take a look at some design pattern books.

I'd also look into something like the Zend Framework or CakePHP. Cake will probably get you up and running rather fast, but I prefer Zend, as its very powerful and doesn't force you to code a certain style. CakePHP is kinda of like rails for PHP.

You'll also want to get decent at security, both server and client side, watching for stuff like session hijacking, sql injection, xss, brute force attempts, remote includes, uploaded file exploits, etc.

Social sites offer many attack vectors to crackers.

Resources:

• http://www.amazon.com/Pro-PHP-Security-Chris-Snyder/dp/1590595084/ref=sr_1_1?

• http://www.amazon.com/PHP-Objects-Patterns-Practice-Second/dp/1590599098/ref=sr_1_3?ie=UTF8&s=books&qid=1265662237&sr=1-3ie=UTF8&s=books&qid=1265662204&sr=8-1

• http://www.amazon.com/Building-Scalable-Web-Sites-Applications/dp/0596102356/ref=sr_1_1?ie=UTF8&s=books&qid=1265662256&sr=1-1

• And your local PHP mailing list / meetup.

Answer 4

For the image storing, I always used to store them on the hard disk, but using a very hard image validation script to make sure the images don't contain malicious code. I'm also used to apply URL rewriting so users can't find the real path to the images.

Don't you have a strange feeling storing images into databases ? The mysql database can grow very fast, and you will always need a PHP script to show up the images, which means it makes your server slower.

---

As for the password storage, use salting as the others replied.

---

Last, for the documentation, I really love to see how Wordpress is structured. I have spent hours watching it's source code and reading it's documentations. It's just a terribly good example of how to organize any website.

Answer 5

1. Apply a hash function to the password (such as sha1 or md5). Then add extra "salt" to it by taking like the first 5 characters of md5("social") or something. It's up to you, but this is intended so that if a hacker gains access to your database, he/she won't be able to run your hashed passwords through a rainbow table and get the actual password.

2. I am running a website that allows users to upload pictures. The pictures are organized in bins (that is, 1,000 pictures per bin) just to keep it organized (and you can only have so many files per folder before you run into problems). The location of the pictures is stored in the database as well as other info (like picture id, file extension, bin location, etc). Another table in the database links the picture ids to a user. Also, the picture's filename once its uploaded is something like

   {bin}/{userId}_{pictureId}_{token}_{variant}.{fileExt}

3. Not sure about web applications, but you should definitely make use of some built-in PHP classes such as the PDO database abstraction layer.

Answer 6

Question 3: I would suggest studying one of the modern Rails-style frameworks (my favorite is Symfony) rather than an app like Wordpress or Gallery. They are both excellent, but they've evolved from simple hacks and aren't necessarily the way I would start anything if I was starting from scratch.

Also, for question 2, I hate binary blobs in databases. Filesystems work great for that.

And question 1: one-way hash, as others have said. Mysql's password() function is probably fine.

Answer 7

All these questions have been answered before.

How would you safely and securely store passwords in MySQL? What kinds of encryption would you use?

See http://stackoverflow.com/search?q=password+hash+database+php

If users were allowed to upload pictures, would it be better to store them in the database or have them uploaded directly to the server?

See http://stackoverflow.com/search?q=store+images+database+php

What open source web applications (such as WordPress) would you recommend I read and study (preferably something simple but well written)?

See http://stackoverflow.com/search?q=social+network+php

You should also take into account that running and managing a social network site is more than just coding it. Are you sure you want to build one from scratch? Consider if you would be equally happy with something like Ning, where everyone can start their own community with no programming whatsoever?