PHP method of securely website
PHP Web security tips
Passwords used within your PHP applicationshould always be encrypted. If the server you
are using does not support mcrypt(), use crypt() to
encrypt the password entered during the login,
then check this against the stored encrypted password.
Cryptography is just a part of a secure solution as it can
only be used once data has been received by the server.
You may also need to take advantage of SSL connections
in your Web sites. SSL, which stands for Secure Sockets Layer,
is a method of securely transmitting information between a
client the Web browser and the server. Utilization of SSL
connections indicated by the https://prefix in a URL is a
must for e-commerce applications. You can also specify
that cookies are sent over a SSL connection by setting the
proper parameters when using the setcookie() function.
Check with your ISP or server administrator to see if SSL
connections are supported on the machine you are using.
Security Resources.
There are literally dozens upon dozens of Web sites you can
visit to keep yourself informed of pertinent security issues. The most prominent four, in my opinion, are:
Computer Response Emergency Team (http://www.cert.org)
Security Focus (http://www.security-focus.com)
Packet Storm (http://packetstorm.securify.com)
World Wide Web Consortium (http://http://www.w3.org/Security/Faq/www-security-faq.html)
There are also any number of books available ranging from those that generically discuss security to those that will assist in establish secure Windows NT or Linux Web servers.
With respect to PHP, do not forget to read the PHP manual's
section on security. Also review the security section of the
documentation for the database you are using on the server.
Some, such as MySQL's manual, includes tips specifically
with respect to using PHP and MySQL.