fredted40x Posted April 14, 2010 Share Posted April 14, 2010 Hi, I have craeted a mini message board using html, php, and AJAX, and now i would like to check that its secure. I would like to get it to prevent hackers and also prevent people stealing php code. Can anyone point me to any sites or give me any tips that i can use. Thank you. Quote Link to comment https://forums.phpfreaks.com/topic/198542-php-security/ Share on other sites More sharing options...
xt3mp0r~ Posted April 14, 2010 Share Posted April 14, 2010 1. Make sure you validate inputs. 2. If you are dealing with databases, always use mysql_real_escape_string() function. This function properly scrubs your input so it doesn't include invalid characters. 3. Hide your php errors. 4. Make sure to md5 passwords or any vital information.. if you store it into db. 5. Use captcha, it prevents spammers. That's what came into my mind right now. Hope it helps you You can always google, there's a lot to study. Quote Link to comment https://forums.phpfreaks.com/topic/198542-php-security/#findComment-1041849 Share on other sites More sharing options...
fredted40x Posted April 14, 2010 Author Share Posted April 14, 2010 1. Make sure you validate inputs. 2. If you are dealing with databases, always use mysql_real_escape_string() function. This function properly scrubs your input so it doesn't include invalid characters. 3. Hide your php errors. 4. Make sure to md5 passwords or any vital information.. if you store it into db. 5. Use captcha, it prevents spammers. That's what came into my mind right now. Hope it helps you You can always google, there's a lot to study. Ahhh captcha, good idea. for got about them. So far i have md5ds passwords and i have just found the escape_string function on google so will be adding that. Could you explain a little more about how to hid php errors? Thanks again Quote Link to comment https://forums.phpfreaks.com/topic/198542-php-security/#findComment-1041850 Share on other sites More sharing options...
xt3mp0r~ Posted April 14, 2010 Share Posted April 14, 2010 Adding below code in your script would never show any php errors to your users. Add it to your code when you are done debugging it. error_reporting(0); Quote Link to comment https://forums.phpfreaks.com/topic/198542-php-security/#findComment-1041859 Share on other sites More sharing options...
ignace Posted April 14, 2010 Share Posted April 14, 2010 4. Make sure to md5 passwords or any vital information.. if you store it into db. make that sha1 and also include a salt. As md5 passwords can be "guessed" using a rainbow table. 5. Use captcha, it prevents spammers. I recommend reCaptcha Quote Link to comment https://forums.phpfreaks.com/topic/198542-php-security/#findComment-1041862 Share on other sites More sharing options...
ignace Posted April 14, 2010 Share Posted April 14, 2010 Adding below code in your script would never show any php errors to your users. Add it to your code when you are done debugging it. error_reporting(0); No. That makes sure that no single error is reported meaning that altough your application does not function it also does not show any errors in your error log the correct setting is: error_reporting(E_ALL); ini_set('display_errors', 1);//1=development, 0=production You also shouldn't set these in your PHP script but in your php.ini. On your development machine display_errors = On and on your production machine display_errors = Off Quote Link to comment https://forums.phpfreaks.com/topic/198542-php-security/#findComment-1041865 Share on other sites More sharing options...
xt3mp0r~ Posted April 14, 2010 Share Posted April 14, 2010 Thanks for pointing that, ignace. Still quite new to php. I recommend your code. Quote Link to comment https://forums.phpfreaks.com/topic/198542-php-security/#findComment-1041869 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.