Jump to content

PHP Newbie: Login Security and General Security

metalspawned

By metalspawned
in PHP Coding Help

 Share

Recommended Posts

metalspawned Newbie

metalspawned

Posted
Posted

Hello all!

 

I am completely new to PHP and advanced programming. I've read tutorials around the web (tizag.com, w3schools.com, etc) and am starting to get a better idea of PHP, but I'm feeling a bit overwhelmed. My goal is to build a complex and dynamic social networking website a la Facebook. No wonder I'm overwhelmed, eh? Anyways, if it were to go public and become popular, great, but really, the only reason I'm personally attempting this massive project is to learn PHP inside and out.

 

What I am concerned about is security. I read the security tutorial here on phpfreaks, which is great. It really sheds light on the types of security issues I will be facing and gives some suggestions on how to overcome these issues. However, I have no clue how to implement all this stuff. Should I just have a security.php file that includes all the code suggested in that tutorial and then require it in every single PHP file I create?

 

I've heard that using cookies and sessions is insecure. I've learned that there are security concerns with both md5 and sha1 for password encryption. I barely know how to get a login script working and how to keep a user logged in for any sort of duration. There is so much I need to take into consideration that I really feel like just an ant in an ocean...

 

I tried searching the forums for "login" but I got an error saying "Unable to open search daemon" or something like that. I know I am asking a lot and approaching a massive subject, but any guidance would be greatly appreciated...

 

 

Thanks,

ms

ignace Advanced Member

ignace

Posted
Posted

My advice: start out really small! Buy a php cookbook and implement their examples using their code and learn to understand it. I could tell you the ins- and outs on application development and -architecture however just by hearing all of it may explode your head or scare you ;) If you want I can help you in learning by reviewing what you wrote. And all phpfreaks members (including myself) will be glad to assist you if you have any programming related problem.

 

Many start out big and come out really disappointed because they are in it way over their head and leave the webdevelopment industry and consider it "not fun to do" while it actually is the best job in the world ;)

 

Anyways, if it were to go public and become popular, great

 

You would have a problem facebook runs on out 50-100 servers which uses a loadbalancer and some servers are preserved as db-server. It's thus not only programming it's an all-round job, a job that has so many facets that it requires it's participants to be really really flexible (more flexible then rubber)

ignace Advanced Member

ignace

Posted
Posted

just remember, "logged in" is just a variable.

 

actually that's a state (a fancy name for a variable that holds a certain value that modifies the behavior of the system) ;)http://en.wikipedia.org/wiki/State_(computer_science)

metalspawned Newbie

metalspawned

Posted
  • Author
Posted

My advice: start out really small! Buy a php cookbook and implement their examples using their code and learn to understand it.

 

First of all, thank you for your response! :-)

 

I've purchased a PHP and MySQL "guide" and it's all well and good. I understand variables, arrays, functions, loops, and tables and how to manipulate all this stuff. They give me small examples and (I think!) I understand the code. Then, I sit down at my computer and try to create a (secure) login, and I realize that, even with these books, I have no idea where to begin.

 

You would have a problem facebook runs on out 50-100 servers which uses a loadbalancer and some servers are preserved as db-server. It's thus not only programming it's an all-round job, a job that has so many facets that it requires it's participants to be really really flexible (more flexible then rubber)

 

I understand that my idea won't ever develop into something like Facebook with just me alone, but I'd still like to see what I am capable of making! :-D

WolfRage Newbie

WolfRage

Posted
Posted

I would recommend that you take the time to learn OOP so that you may implement elements of security as they are required and not include them when they are not needed. OOP gives you much more control and flexibility over large applications. With the use of a custom autoloader you can even call your classes on the fly, although I recommend you try to avoid using the real autoloader as it can be a performance hit if PHP makes a call for a class just before failure.

ignace Advanced Member

ignace

Posted
Posted

I've purchased a PHP and MySQL "guide" and it's all well and good. I understand variables, arrays, functions, loops, and tables and how to manipulate all this stuff.

 

If you feel you are in for a very hard curve I would recommend downloading Zend framework. I have learned alot in a very short notice by just using their framework.

 

Then, I sit down at my computer and try to create a (secure) login, and I realize that, even with these books, I have no idea where to begin.

 

I have been there myself ;) I threw them away or gave them away

metalspawned Newbie

metalspawned

Posted
  • Author
Posted

Yea, I'm not really looking for you guys to build this for me. I know that that is asking too much. I've seen plenty of already made login scripts on the web, but I'm hesitant to use someone else's code, especially because I've seen others saying the code isn't secure or it's badly written or or or. Really, what I'm looking for is a simple point in the right direction, a "map" of a PHP login script in plain English, not code. I *do* want to build it myself, if only to say I *did* build it myself, but I'm not sure what components are needed, what password encryption to use, etc.

ignace Advanced Member

ignace

Posted
Posted

I've seen others saying the code isn't secure or it's badly written or or or

 

Nothing is ever really secure. When it isn't the code, it's the server, .. No one can ever guarantee 100% security, only 99.9% at its best however that 0.1% will come back to haunt you ;) They have told me that your application's code is only as good as the company's worst programmer, and it's true. Even if computer's themselfs wrote it, it still wouldn't make it 100% proof.

 

And don't believe everything they say, if we would believe everything they say we would have died a few times over ;) In 2012 we will die again :D Ofcourse I'm not saying that you should just rely on any code but if you do - test it yourself - use unit testing for example (http://en.wikipedia.org/wiki/Unit_testing). If it passes all your worst case scenario's then you can be sure it will do to (for 99.9%) in the real world to.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.