I'm starting to work on my biggest project yet and if it's succesful it's going to be used by thousands of users. Unfortunately my experience in PHP has been limited to smaller projects only used in limited and closed groups of people or private usage so security never was my biggest concern. I want to create the most secure system possible but I can't find any good reference.
What should I know about securing a login system or storing sensitive data input by users? Is there any book you can recommend or a comprehensive guide? Or should I buy/use a premade system? I realize perfecting it is going to take a lot of time and I'm willing to invest it for it to be as secure as possible. I've already read up a lot about security and what to look for but I want to be sure I didn't miss anything. Also I couldn't find any confirmed secure code example apart from this. Is this all I need to know?
Is there any book you can recommended or a comprehensive guide?
Owasp.org Is a good starting point.
Or should I buy/use some premade system?
Using a pre-made system like WordPress or a framework is a good starting point to achieve a good security (because you use the code that a "more expert coder" write for you).
Is all that I need to know?
Nope. There are a lot of things that come with experience. Also there are a lot of things that are normally out of scope for a coder.
Related
Hey guys I'm developing a website and first project with a group of friends and would like to know if we have covered all the basis, please let me know if I have missed anything out.
Website itself, this will be made up of HTML, JavaScript and PHP(communicate with database)
Database, straightforward mysql.
I would like to know if there is anything we should worry about, e.g. any security concerns, I have completed websites and databases previously but never joined them.
There will be no purchases through the website and its mainly for information and communication between employees.
Thanks for your help
As a novice there is probably some security holes in your php code. Make sure to understand what is an SQL injection and XSS and check if your code is safe before you release it.
You could look at using a framework (there are several out there for PHP, like Zend or Cake). The advantage of this is that the framework takes care of some things for you (authentication, for example) and provides a bit of hand holding.
If this is your first large database-backed website, your code is likely to be a mess... a good MVC framework can force you to do things properly (making maintenance easier).
If you are not using a framework (well, heck, even if you are), please read and understand everything in the PHP Manual page on SQL Injections.
I wouldn't be surprised if this question were closed as too broad or not a real question, but couldn't pass up the opportunity to say "understand SQL injections and avoid them."
I am currently building a blog type website for myself. I have used wordpress in the past and really enjoy it, but when it comes to building more than just a blog I usually get bogged down in writing hacks for it.
The site I'm building is going to pretty much be a blog, but with a 'question and answer' side to it (NOT A FORUM - purely Q&A). Therefore, bbPress and buddyPress doesn't quite hit the mark. I have used CI for awhile now, but when it comes to security I fall short. CI does not have an auth library, however, Kohana does.
My question is: I would like to have full control over my site, but I'm worried about my lack of knowledge in the security department. Would I be better off using Wordpress as a base, or would it be beneficial for me in the long run to use something like Kohana?
Your advice is greatly appreciated.
First of all, I would like to say that you can't compare Wordpress and Kohana. One is a content management system and the other is a programming framework.
As for your question: Since you've stated you're not that experienced with security I suggest you stick with Wordpress; It's maintained by developers who know what they're doing.
If you want to go ahead and create something yourself then make sure you keep up-to date with all the current security issues and how to resolve them. Here are a few resources you might be interested in: PHPSEC, OWASP and PHP Security. You should probably read those anyway (as you're writing Wordpress plugins).
Good luck with your choice either way.
Hmm, if you can write the "hacks" for wordpress, than modify it to your needs.
If you think you can write the security better, than use Zend Framework since it has a Auth lib.
http://framework.zend.com/
I dont realy know about kohana
Hmmm... for the Questions and Answers, have a look at Qhub. I'm aboutto implement it for a client of mine who's an adoption counselor. She gets tons of questions via emails and it's always the same ones over and over. I saw it on Design Reviver a while back and I thought it was a great idea. Plus I got in contact with one of the co-founders of Qhub and they told me that they are implementing some more privacy and privileges controls which is really good news since I only want my client to be able to answer the questions.
I would use WP with Qhub to be honest. If it's a blog-type site and you're already comfortable with WP, why not stick with it?
Hope this helps!
Check out the TDO Mini Forms plugin. I think it may serve your needs perfectly!
Apologies if this is not the right place to ask but here goes...
What should I use to create a simple web application for our website?
I'm the IT guy for a small non-profit. On our website we have a page with a large form in which users can fill out information on an application form. The information gets sent to a MySQL db. This data can then be accessed and edited by a couple of members of staff behind a logged-in part of the website. There's only two dbs being used: the main one with all the data and the one used for login details for the web app. It's all done with PHP and functionally is fairly simple - just a form with lots of fields to collect data and a basic secure "manager" page to do a bit of stuff with that data.
The problem is that we need to make changes to the app, and to extend its functionality quite a lot. I have a little bit of experience playing around with PHP but I've taken one look at the code used and decided it'll take too long to decipher it and see what's happening where. The code is uncommented and a bit of a mess.
I'm starting to think that rather than investing time to relearn what little I knew about PHP and untangle all the code, I might invest the time in learning another language and/or framework to get this done. I want the resulting web app to be a lot easier to maintain in future by me or anyone else who comes along and has to make a change.
Would you recommend using Django/Python for a project like this? Zend/PHP? Just PHP and notepad? I want the app to be done fairly quickly so the less steep the learning curve the better. Many thanks for you time.
Another good PHP framework is CodeIgniter.
They also have a good webcast that outlines how to begin with the framework as well as create a simple blog [tutorial].
I would recommend a PHP framework, such as CakePHP. Spend 20 minutes of your time and follow their blog tutorial.
Using PHP alone can be tricky, especially when you will have to deal with security issues.
From what I can see you have asked 2 questions.
1. Should you maintain and extend the current code base or do a rewrite?
Rewrites always take longer than you think. And even if you do the rewrite to avoid learning the codebase you would still need to learn the current codebase to ensure you capture the current functionality before adding any new features in the rewritten codebase.
I would keep the current codebase and maybe do some refactoring as you add features.
What should language and frameworks should you use?
I would stick with PHP, CakePHP is a solid framework and so is Zend. I would read up on both and do a couple of tutorials and make your decision.
As Anax states, I'd suggest that you look to use PHP. If code is already implemented then you have a start.
PHP isn't hard to re/learn. I know some don't like it, others like it but simple fact, either way it isn't hard to learn. But, more importantly consider the following:
You obviously have access to the hardware stack required to use PHP and MySQL. Introducing a new language/technology may cause unforeseen issues with getting a production site set up.
Now this doesn't mean that you can't write certain components in other languages. You could, if you were so inclined. But you probably shouldn't be so fast to get rid of PHP just to learn another language. Do you have important (technical) compelling reasons to use something other than PHP?
If you are mostly concerned about the spaghetti code in place, you can get that anywhere -- even new development. Better to re-factor the code and fix and add to what you have than start from scratch.
I can offer some general considerations:
Whatever language you choose, get a good IDE for it. Having automatic syntax validation and code completion helps a lot if you're a beginner. Don't use plain text editors.
Teaching yourself how to code well will make for a very frustrating experience unless you have a lot of patience. This generally comes from being really sure that you want to do it.
Be very conservative in your time estimates. Having many setbacks is guaranteed if you're a beginner.
Start out by focusing on reading about writing code, not focusing on writing code. If you're learning Python, read the official tutorial first. The same goes for PHP.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I have this idea for a website that's been floating around my head for quite sometime now and now have finally decided to get to work on it. Due to the nature of the project and my experience I am getting comfortable with the idea of running it as a PHP+MySQL application on an Apache server.
This is my first time doing web programming of any sort(I have a background in sysadmin and mainframe systems coding) and I am pretty unsure of what practices to take into consideration so that I don't find myself undoing/redoing things later in the project. Considering all the flak the language has taken on StackOverflow(which can be seen here and here) it would be nice to have a set of common mistakes to watch out for for a beginner like me. I did find this thread outlining things to avoid in PHP but most of the points made little sense to someone like me who's just setting out in PHP.
Do you have any suggestions, tips or tutorials outlining common gotcha's in the language which might come back later in the project demanding entire rewrites.
For what it's worth I am currently working my way through Programming PHP(O'Reilly) and PHP in Action(Manning).
I was in a very similar position a couple years ago, having come from a NOS background myself.
I actually started with PHP and MySQL for dummies. Once I had absorbed the knowledge contained therein, I hit the Web (I used SitePoint a lot, like Boushley recommended) and I read a couple of O'Reilley's book on the subject.
Once thing I will tell you, is that if you want to streamline your understanding and your efficiency, I have found great success with a number of MVC frameworks(CodeIgnitor, CakePHP, etc). If you have no idea what MVC is, I recommend finding out. Now that I use MVC, my code is easier to understand, modify, troubleshoot, etc.
And honestly, half of the learning in PHP is running into those common mistakes and learning from them. Its hard to appreciate those 'common mistakes' until you make them.
Don't worry about HOW you are going to learn, just START leaning!
If I could give you one piece of advice, it'd be to use a framework - they will make your life so much easier. They take away all the repetitive code from programming websites, handle security concerns and abstract lots of things, as well as make you build your website using a pattern such as Model-View-Controller.
I highly recommend the CodeIgniter framework for it's simplicity, power, great documentation and ease of use, but there are plenty of other good frameworks too. There are lots of questions on SO on this so have a quick search. There is a fantastic introductory screencast on CodeIgniter (soon to be a series) from BinaryCake, so check that out here.
I hope that's helped! If you have any PHP concerns, feel free to message me - it's my area of expertise (along with CodeIgniter) and I love it!
While still developing, have all errors show up:
ini_set('display_errors', '1');
error_reporting(E_ALL | E_STRICT);
Can save a lot of time (in case of say, typos in variable names). Change this when it goes live to not display or only display "real" errors depending on the type of site and security levels involved (you don't want everyone to know paths and variable names and such..).
Find a variable/function naming convention (under_scores vs camelCase vs..) that suits you and stick to it. Also, classes go in the /class directory, includes in /inc etc. Both these make it easier to understand your own code years from now. Oh, and the same goes for coding style, I guess: choose one and stick to it (indentation, bracket style, ..).
Comment your code :-) Personally I also have a little log at the end of longer files that shows when I did what and why. Each addition is timestamped, and the same timestamp is also in the comments behind the change itself, as the line number on which it sits can easily change. Similarly, in an included file containing a bunch of functions, I have the list of function names in a comment at the top of the file, with a one-line description behind them.
Finally on security (though this should really be your first concern ;-) ), treat all user input as suspect. That's POST & GET data, cookies, user-agent string, search strings - anything that is supplied by the browser. It's trivial to change cookie data or change/add form items.
Read up on SQL injection & XSS attacks, and look at PHP's relatively new data filter functions: http://php.net/manual/en/intro.filter.php
Google any of these to get some good reading
Don't use register_globals
Turn off magic_quotes - escape all user entered input in SQL statements
Escape any user entered input printed with htmlspecialchars()
Plus a lot more... These are some common things to watch out for though.
There are a number of great websites out there with lots of tutorials. One that comes to mind is Site Point. They'll try their best to sell you a book or two while your're there, but they do have some decent articles. This article for instance discusses some common security blunders in php.
http://www.sitepoint.com/article/php-security-blunders/
They have lots of them...
http://www.sitepoint.com/search/search.php?ps=10&q=php&submit=Search
Also a nettuts.com has a load of tutorials an things of that nature. They're more all across the board though.
http://nettuts.com/
And I think pretty much everywhere you look you'll see the common ones like watch out for register_globals, magic_quotes...
one good book to look at that is also free to download here covers beginner to advanced PHP techniques and is good way to learn good standards :)
Use a framework and use Object Oriented Programming
Books are great for learning additional languages, but for your first one, a good video tutorial is a great way to go!
Register for a Lynda.com account (google: lynda trial) and sign up for as many one day trials as you need (or be a good honest person and purchase a week). They have a pretty good beginner and advanced PHP series of video tutorials which are (IMHO) a great way to learn your first language.
A tip: If you can start programming Object Orientedly from the get-go, you will save some time in the future and learn good practice from the start, luckily the advanced tutorials cover this!
Here's a link: http://www.lynda.com/home/DisplayCourse.aspx?lpk2=435
I've never taken this particular course (when I learned a few years ago, it was different), but I just recommended this to a friend (who was just starting), and he really liked it!
Hope this helps!
If you're new to programming in general, A database backed web application is likely to be a bumpy ride. You will probably be programming in at least two, real programming languages, PHP and SQL, and if you're going to do anything of modest complexity, JavaScript too. Keeping them strait will be rough, because they are all quite different.
Just to warm up to programming, you might want to start instead using a more focused learning excercies, such as working through the Euler Project problems, or Code Kata.
Either way, Try to pick up good habits wherever you learn about them, including the popular suggestion here of using an MVC framework for the heavy lifting.
I'm about to start creating a new website that has standard user management (customers login and handling (change customer details etc) + my own functionality. I'm looking for the most efficient way to do it. I know PHP/CSS/Jquery quite well.
I have looked into Drupal as a starting point and found it too cumbersome for my needs.
CodeIgniter and PHPcake seems not to be efficient because I'll spend time learning the platform instead of developing (which I would love to do, but not currently).
It seems that what I need is a skeleton of PHP site that simply handles users functionality. Surprisingly I couldn't find one.
Could you recommend a starting point such as an open source website code that I can easily cut the user management part from? Or another option which is more streightforward than learning a new platform/framework?
To be honest, to get started in a framework like CodeIgniter you shouldn't need more than 5 to 15 minutes of learning time (a CI "skeleton" is extremely easy to do).
Yes, it may have plenty of tools/helpers/libraries but for the most part the learning curve is extremely shallow.
As to the users functionality, there are a couple of user-made libraries that may suit your needs - a comprehensive list with detailed functionality can be found here: what-code-igniter-authentication-library-is-best
Quite honestly, if you are going to use one of the existing platforms out there you are going to have to put the effort in to learning the architecture of it and then adapting to it to further develop on it.
Also, user management is a pain but really shouldn't take you THAT long to implement. If that's all you want, I'd say roll your own because then you are going to be that much more familiar with it. Anything that someone else has written you are going to have to learn about.
If all you want is authorization, start with Pear::Auth. It's probably a little less than you're looking for, but that may be preferable to a solution that's heavier than you desire.