cbassett01

Is there any books anyone wants to recommend on the subject of security and PHP? I'm designing a site that uses logins, passwords, and restricted access pages, and want to make sure the site is as secure as I can make it. I've got a good understanding of PHP, MySQL and HTML, but just wanted a good book to look through/read on PHP security because I know how to use the language, but am not completely up to date on security holes, etc. Some of the issues I'm concerned with is code injection (like injecting or modifying an SQL statement embedded within a PHP script, etc). Suggestions? I'd probably consider myself at the intermediate-level as far as PHP and MySQL goes.

Need some ideas on how to incorporate a small message board into an existing site (I can't use phpBB or other free BB systems... I have to code my own). Basically, I've got a photo gallery I designed, and want people to be able to post comments or hold small discussions around the pictures. I'm in need of some help designing the "comments" portion. Although this following statement doesn't really affect the actual design and coding of the table, this is what I'd like to see hapen: My goal is that when a person clicks on a picture from a grid of pictures, a new page appears with the enlarged picture, and below it, are comments people have made about the picture. Here is my thought process so far: Each photo in the gallery (regardless of what album it falls into) has a unique photo ID represented as a number, which helps the system identify the photos and sort the photos into various albums--I created a "linking" table in Mysql that helps the system link photo albums to pictures. I was thinking of having a single table that simply referenced a photo ID, user's ID number, a date/time stamp, and the comment (along with other info, such as the user's name, date of the post, etc). In this "comment" table, there would be a field of an integer that would hold the comment's ID (the primary key, mainly for the purpose of being able to select a single comment from a list of many comments for deletion, modification, etc). The ID would not really determine the order in which the comments are displayed. The date/time stamp would be the primary determining factor (most recent posting at the bottom of the page). Additionally, the comments would only be shown when someone was looking at a single picture... not the grid of photos. I already have the user account management system in place and written, so that's already done. Each person has their own username and password. In addition to that, the primary key of that table is each user has a given ID number that never changes. They can change their username and password, but the ID number does not change. This number would be used for tracking who posts what in the comments section. Is this a fairly acceptable thought / design I have or am I missing something major? This site probably won't see very heavy traffic (it's for a member's only site for a small group at the local school). Any other ideas for suggestions? I already have the user account management system in place and written.

Is there a way that I can create some sort of custom PHP error handling script that is capable of looking at an error that occured and deciding what to do next or what to display to the user (rather than just printing out an error statement)? I'd ideally like this error handler to be in it's own script file so that I can include it in all scripts where an error might possibly occur. Second, is there a way that you can implement error handling like in other languages such as Visual Basic or C++/C#? For now, I've just been doing something like this: ------- mysql_connect(DB_HOST, DB_USER, DB_PASS) or die(mysql_error()); -------- I'd like to find a way so that if the die() function has to be called because of an error, I can call something else (a function in another script file) and send it some sort of error code that the function would then resolve to a more informative error message the user can understand). Suggestions?

I know that PHP scripts are run on the server side, and not the client side, but I just wanted to clarify something... I've been working with PHP, MySQL and Apache now for some time, but now am doing my first "real world" project that will be in a production environment. The project is relatively small and basic compared to many other sites (just uses simply login/permissions systems to control access to various pages). Anyway, my concern is if there is a way that a visitor could possibly view the source code of a PHP file? In particular, PHP files that contain connection information for connecting to MySQL databases (as in, passwords, user names, etc). My reason for this concern is that I have about 3 or 4 PHP script files that contain connection information (each with varying MySQL permission levels), and I don't want someone to be able to figure out the passwords for each of the SQL users I have set up for accessing the database and it's tables... My passwords are quite secure (in their make-up), but obviously if someone can view the password, it doesn't really matter how good it is because someome has seen it. So, how can I protect my pages from viewing by people other than me (or is this not really an issue)?

So the "$_SERVER[REUQEST_URI]" variable looks at the file/document making the request to the PHP file? Is that what this variable/function does? I can prevent hotlinking to file directly, so this might help as well (as in, I can only allow pages that have the base domain, such as www.mydomain.com, to access files on the site and not allow "outside" sources access or direct access to files). I think many web hosts refer to this has "hotlink protection." I have been using the $_POST array, and NOT the $_GET or $_REQUEST array. I just wanted to make sure that for the most part, people can't do something like this from my login page: www.mydomain.com/authenticate.php?UserName=someuser&Pass=something So if I use $_POST in my PHP script that processes the log in, this above web address (supposedly feeding parameters to the PHP script) shouldn't work, right?

Sorry if this really isn't a PHP question, but I've got an HTML form that asks for a user name and password (for logging into a site). The HTML form then calls a PHP file which will process the request and verify (with a table in the MYSQL database) the user's name and password and either let the user into the site or not. Now, my question is from the HTML page that is displayed to the user to get the user name and password. What is to prevent someone from grabbing the field names from the HTML file and then creating their own script on their own site, referencing my PHP script on my server which accesses my database. Can I prevent someone from remotely accessing my scripts from another website? Additionally, what's to prevent someone from seeing the field names in the HTML form and then feeding these variables to the PHP script via the address bar? How are these issues generally handled? I'm using PHP sessions for security reasons. (I'll be honest... I'm pretty fluent in PHP, but am new to the topic of "sessions" in PHP, encryption, and stuff relating to those subjects).