I am sure Walter will have his input on this but working with php and
MySQL is very simple and quick, scripts to do things can be written
with very few lines of code and very quickly… but, scripts written
like this will be very much recipes for security and reliability
disasters, I have always said that writing the scripts is easy and
quick but error checking and dealing with value checking and security
takes 10 times longer than writing the basic script. I worked on some
sites that have already had some php and database work and was
horrified to see what was done or rather not done in the scripts.
My input on this would be to check all the variable values before
entering into a database ‘or doing anything with it’, if a value
should be a number 8 digits long then make sure it is a number and is
no longer than 8 digits, if a value is not supposed to have a space
then make sure it doesn’t have one, check everything is within the
boundaries it is expected to be and that nothing more or less that
what is supposed to be passed is. On log-in scripts you might also
allow 3 incorrect attempts within 3 minutes and then block the user
out for a period of time etc.
You can write functions to do a lot of the variable checking for you
then these functions can be reused on all your sites, this will save
you time on the same and on future projects.
Use Google to pull up some sites on PHP security and see what input
they have to offer.
HTH
On Dec 29, 2008, at 2:54 PM, WebWorker wrote:
Thanks Walter.
After doing the basics of creating / editing / sorting / adding /
deleting entries etc from a database using php and Freeway. Working
locally with MAMP, it has got me thinking more about MySQL security
before releasing any of my ideas online. For example a customer
email/address list, on a site. I know php is fairly easy to pick up
for beginners. But should beginners really be doing this? With no
formal database training.
You do have a responsibility for protecting the client data. So for
this example, for a start I therefore send/receive the data over a
SSL connection (https://). But what about other security issues.
With things like SQL injection, are beginners leaving themselves
open to all sort of security issues? (its often said you have to
assume all users are potential hackers)
I suppose the real danger is when you are posting data into the
database, rather than just reading from it.
Do you know of any php/sql security checklist or sites you can use a
security resource for guidance about this?
dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options
dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options