Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3

Thread: PHP security

  1. #1
    New to the CF scene
    Join Date
    Jul 2012
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

    PHP security

    Alright, it's been a long while since i've been hard at work coding, and so i'm a bit out of the loop. (granted, i remember a lot more than i've forgotten) but I was wondering what are some good tips for security? I'm currently working on the user login system for my site; which will eventually consist of email verification and a 'citizen code' (which is part of the storyline for my project), but thats more of stuff to weed out the spammers...

    What can one do to prevent hackers and blackhats and all that? what are somethings to avoid when coding? and my biggest question right now is what is better? pdo or mysqli?

    (and if anybody is interested in seeing what i've gotten coded so far, i'll post the actual script later.. [i'm two seconds away from hitting the hay] but in the mean time the site is active and i have posted it around to see if anybody can break my security so far;{ http://gmz1023.com || Citizen Code = nospoon } the citcode is limited for now. will fix this in the A.m)

  • #2
    Senior Coder whizard's Avatar
    Join Date
    Jan 2005
    Location
    Philadelphia, PA, USA
    Posts
    1,662
    Thanks
    14
    Thanked 76 Times in 76 Posts
    Both mysqli and PDO use prepared statements, which are crucial in preventing sql injection. However, PDO is a much more powerful tool, IMO. mysqli is kind of a bandaid to help mysql_ users avoid injection. PDO is a modern class based solution which is more flexible.

    HTH
    Dan
    PHP Tip: If you want to use short tags (<? or <?=$var) then make sure short_open_tag is set to "1". It really helps.

    Don't forget to save everyone time and mark your thread as Resolved :)

    "Also note that it is your responsibility to die() if necessary."

    DON'T USE THE MYSQL_ EXTENSION

  • #3
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,640
    Thanks
    0
    Thanked 649 Times in 639 Posts
    If you:

    1. validate all fields passed to the script in $_POST, $_GET etc fields before copying them into local variables.
    2. Keep data and code separate where ever possible - eg. using prepare/bind for database access
    3. Where keeping code and data separate is not possible and the data is allowed to contain characters that could be confused for code then escape the data

    All of these steps are needed to produce easy to maintain code - that they also eliminate most security holes is a side benefit as they are things that should be done even if security were not going to be an issue at all.

    Having properly written code by doing the above will protect against most of the more common attacks - the ones that only work when the person who wrote the code has never learnt how to code properly and produces security holes instead of code.


    The difference between mysqli_ and PDO is that PDO supports multiple databases and not just mySQL so if you may want to change from mySQL to a different database in the future then go with PDO. If you plan on sticking with mySQL then there is no difference between the two and it comes down to personal preference.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • Users who have thanked felgall for this post:

    low tech (07-14-2013)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •