metalspawned Posted July 20, 2009 Share Posted July 20, 2009 Hello all! I am completely new to PHP and advanced programming. I've read tutorials around the web (tizag.com, w3schools.com, etc) and am starting to get a better idea of PHP, but I'm feeling a bit overwhelmed. My goal is to build a complex and dynamic social networking website a la Facebook. No wonder I'm overwhelmed, eh? Anyways, if it were to go public and become popular, great, but really, the only reason I'm personally attempting this massive project is to learn PHP inside and out. What I am concerned about is security. I read the security tutorial here on phpfreaks, which is great. It really sheds light on the types of security issues I will be facing and gives some suggestions on how to overcome these issues. However, I have no clue how to implement all this stuff. Should I just have a security.php file that includes all the code suggested in that tutorial and then require it in every single PHP file I create? I've heard that using cookies and sessions is insecure. I've learned that there are security concerns with both md5 and sha1 for password encryption. I barely know how to get a login script working and how to keep a user logged in for any sort of duration. There is so much I need to take into consideration that I really feel like just an ant in an ocean... I tried searching the forums for "login" but I got an error saying "Unable to open search daemon" or something like that. I know I am asking a lot and approaching a massive subject, but any guidance would be greatly appreciated... Thanks, ms Quote Link to comment https://forums.phpfreaks.com/topic/166628-php-newbie-login-security-and-general-security/ Share on other sites More sharing options...
ignace Posted July 20, 2009 Share Posted July 20, 2009 My advice: start out really small! Buy a php cookbook and implement their examples using their code and learn to understand it. I could tell you the ins- and outs on application development and -architecture however just by hearing all of it may explode your head or scare you If you want I can help you in learning by reviewing what you wrote. And all phpfreaks members (including myself) will be glad to assist you if you have any programming related problem. Many start out big and come out really disappointed because they are in it way over their head and leave the webdevelopment industry and consider it "not fun to do" while it actually is the best job in the world Quote Anyways, if it were to go public and become popular, great You would have a problem facebook runs on out 50-100 servers which uses a loadbalancer and some servers are preserved as db-server. It's thus not only programming it's an all-round job, a job that has so many facets that it requires it's participants to be really really flexible (more flexible then rubber) Quote Link to comment https://forums.phpfreaks.com/topic/166628-php-newbie-login-security-and-general-security/#findComment-878656 Share on other sites More sharing options...
nbarone Posted July 20, 2009 Share Posted July 20, 2009 just remember, "logged in" is just a variable. everything is a variable if you have to question it. one major point that I think about every day when scripting PHP is NEVER ASSUME. Quote Link to comment https://forums.phpfreaks.com/topic/166628-php-newbie-login-security-and-general-security/#findComment-878662 Share on other sites More sharing options...
ignace Posted July 20, 2009 Share Posted July 20, 2009 Quote just remember, "logged in" is just a variable. actually that's a state (a fancy name for a variable that holds a certain value that modifies the behavior of the system) http://en.wikipedia.org/wiki/State_(computer_science) Quote Link to comment https://forums.phpfreaks.com/topic/166628-php-newbie-login-security-and-general-security/#findComment-878665 Share on other sites More sharing options...
ignace Posted July 20, 2009 Share Posted July 20, 2009 Quote one major point that I think about every day when scripting PHP is NEVER ASSUME. Now where was it the last time I heard they based themself on axioma's? Oh yeah: Math and Science Quote Link to comment https://forums.phpfreaks.com/topic/166628-php-newbie-login-security-and-general-security/#findComment-878670 Share on other sites More sharing options...
metalspawned Posted July 20, 2009 Author Share Posted July 20, 2009 Quote My advice: start out really small! Buy a php cookbook and implement their examples using their code and learn to understand it. First of all, thank you for your response! :-) I've purchased a PHP and MySQL "guide" and it's all well and good. I understand variables, arrays, functions, loops, and tables and how to manipulate all this stuff. They give me small examples and (I think!) I understand the code. Then, I sit down at my computer and try to create a (secure) login, and I realize that, even with these books, I have no idea where to begin. Quote You would have a problem facebook runs on out 50-100 servers which uses a loadbalancer and some servers are preserved as db-server. It's thus not only programming it's an all-round job, a job that has so many facets that it requires it's participants to be really really flexible (more flexible then rubber) I understand that my idea won't ever develop into something like Facebook with just me alone, but I'd still like to see what I am capable of making! :-D Quote Link to comment https://forums.phpfreaks.com/topic/166628-php-newbie-login-security-and-general-security/#findComment-878741 Share on other sites More sharing options...
elis Posted July 20, 2009 Share Posted July 20, 2009 I suggest using Tizag.com if you're a complete beginner. I found that that site better explains certain aspects of PHP for beginners than some other resources do. Quote Link to comment https://forums.phpfreaks.com/topic/166628-php-newbie-login-security-and-general-security/#findComment-878745 Share on other sites More sharing options...
WolfRage Posted July 20, 2009 Share Posted July 20, 2009 I would recommend that you take the time to learn OOP so that you may implement elements of security as they are required and not include them when they are not needed. OOP gives you much more control and flexibility over large applications. With the use of a custom autoloader you can even call your classes on the fly, although I recommend you try to avoid using the real autoloader as it can be a performance hit if PHP makes a call for a class just before failure. Quote Link to comment https://forums.phpfreaks.com/topic/166628-php-newbie-login-security-and-general-security/#findComment-878749 Share on other sites More sharing options...
ignace Posted July 20, 2009 Share Posted July 20, 2009 Quote I've purchased a PHP and MySQL "guide" and it's all well and good. I understand variables, arrays, functions, loops, and tables and how to manipulate all this stuff. If you feel you are in for a very hard curve I would recommend downloading Zend framework. I have learned alot in a very short notice by just using their framework. Quote Then, I sit down at my computer and try to create a (secure) login, and I realize that, even with these books, I have no idea where to begin. I have been there myself I threw them away or gave them away Quote Link to comment https://forums.phpfreaks.com/topic/166628-php-newbie-login-security-and-general-security/#findComment-878799 Share on other sites More sharing options...
metalspawned Posted July 21, 2009 Author Share Posted July 21, 2009 Yea, I'm not really looking for you guys to build this for me. I know that that is asking too much. I've seen plenty of already made login scripts on the web, but I'm hesitant to use someone else's code, especially because I've seen others saying the code isn't secure or it's badly written or or or. Really, what I'm looking for is a simple point in the right direction, a "map" of a PHP login script in plain English, not code. I *do* want to build it myself, if only to say I *did* build it myself, but I'm not sure what components are needed, what password encryption to use, etc. Quote Link to comment https://forums.phpfreaks.com/topic/166628-php-newbie-login-security-and-general-security/#findComment-879128 Share on other sites More sharing options...
ignace Posted July 21, 2009 Share Posted July 21, 2009 Quote I've seen others saying the code isn't secure or it's badly written or or or Nothing is ever really secure. When it isn't the code, it's the server, .. No one can ever guarantee 100% security, only 99.9% at its best however that 0.1% will come back to haunt you They have told me that your application's code is only as good as the company's worst programmer, and it's true. Even if computer's themselfs wrote it, it still wouldn't make it 100% proof. And don't believe everything they say, if we would believe everything they say we would have died a few times over In 2012 we will die again Ofcourse I'm not saying that you should just rely on any code but if you do - test it yourself - use unit testing for example (http://en.wikipedia.org/wiki/Unit_testing). If it passes all your worst case scenario's then you can be sure it will do to (for 99.9%) in the real world to. Quote Link to comment https://forums.phpfreaks.com/topic/166628-php-newbie-login-security-and-general-security/#findComment-879471 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.