Jump to content

Recommended Posts

I have nearly finished a website that i am making for my local community, they will be registering on the site and i am wandering what sort of security for the site i should be thinking about. I just dont want someone out there doing something to cause problem with the site and ruining it for everyone else.

Link to comment
https://forums.phpfreaks.com/topic/257063-security/
Share on other sites

Sorry to go off subject for a second but i just had a look at the link you provide about not using w3schools, which im afraid i have been unaware that they were not correctly advising people. the w3fools page lists a few good links for html, css, and javascript but there doesnt seem to be any for php, do you know of any?

Link to comment
https://forums.phpfreaks.com/topic/257063-security/#findComment-1317752
Share on other sites

PHP Freaks

Tizag

Devshed

 

CSS Tricks is pretty nifty too.

 

As for your original post. There are many aspects of web security. It would take a long time to start telling you all of them. Instead, you need to figure out what your script will be doing and start locking it down from there. For example, you are making a community site. This means you will likely have a login system, member profiles, user-generated content, etc. So it looks like you will have a lot of untrusted user input. With ALL user input, you should do at least the following:

- sanitize it for database interaction. You can either do this by escaping problem characters (like mysql_real_escape_string) or by using prepared statements (the better choice).

- sanitize for XSS attacks. This can be done either on input, or output, but if user content is going to be displayed somewhere on your website it must be done either way.

 

Those are the two biggies. Along with that, you'll want to make sure the data entered is what you are expecting.

Link to comment
https://forums.phpfreaks.com/topic/257063-security/#findComment-1317778
Share on other sites

Generally, there's two sides to handling data:

 

1. Validation - is the incoming data valid?  Does it fit the basic criteria I'm looking for (e.g., does the phone number field actually contain numbers)?  Validity depends entirely on what your site does, what you expect data to be, what should be allowed, what shouldn't, etc.  In other words, while there are ways to validate incoming data, the actual methods you use are wholly dependent on what you consider represents validity.

 

2. Sanitation - like scootstah says above, sanitation is about actual security.  Making sure the database isn't compromised, that user-supplied data doesn't effect other people negatively, etc. 

 

Escaping string (text) data before using it in a SQL query is a must, so use mysql_real_escape_string, or, better yet, prepared statements from MySQLi or PDO.

 

For cross-site scripting (XSS) attacks, turn any potential submitted HTML and/or JavaScript into entities with htmlentities.

 

For images, read through this thread: http://www.phpfreaks.com/forums/index.php?topic=353735.0

 

That should get you started.

Link to comment
https://forums.phpfreaks.com/topic/257063-security/#findComment-1317802
Share on other sites

Ok great thankyou both for the info. Before i go can you tell me how important pages like terms and conditions and privacy are for this kind of site because i have never used them before but it feels like something i will need for a site that my whole community will hopefully be using. Am i at risk of any kind of legal action if i dont have these pages?

Link to comment
https://forums.phpfreaks.com/topic/257063-security/#findComment-1317822
Share on other sites

Am i at risk of any kind of legal action if i dont have these pages?

 

You're better off asking a lawyer that question.  I would say possibly.  Also if you do set some up it may be worth having a lawyer write them up to ensure they are valid and cover all your bases.

 

edit:

If you don't care too much, you could probably just throw a "Use this site at your own risk, we are not responsible for anything" claim up.  May deter your users some though.  Could work til you get something more official in place though.

Link to comment
https://forums.phpfreaks.com/topic/257063-security/#findComment-1317828
Share on other sites

OK it looks like that may unfortunatley be my only option for now but id rather not put anything up thats going to deter people as the site i am making will be more useful to the people in my area if it has the maximum amount of registered users, and i am not being payed to make this site and its not going to make me any money its just something i wanted to do so i cant really afford to pay a solicitor (I live in UK) to write these pages for me.

 

Is there any kind of guides or templates that you know of that may be of any use? 

Link to comment
https://forums.phpfreaks.com/topic/257063-security/#findComment-1317838
Share on other sites

Is there any kind of guides or templates that you know of that may be of any use? 

 

Not that I am aware of.  There probably are some pre-written ones out there you could use.  You could also go to a site that functions similarly to yours and copy then modify theirs and that would probably be good enough, for now anyway.

 

Link to comment
https://forums.phpfreaks.com/topic/257063-security/#findComment-1317839
Share on other sites

I dont really know of any sites like the one im making thats why i thought i should make on, but while looking around i did come across this but as i haver never even read a terms and agreements page let alone wrote one most of goes straight over my head so im lost as to what i would do with it.

 

http://www.businesslink.gov.uk/bdotg/action/detail?itemId=1076142035&type=RESOURCES

Link to comment
https://forums.phpfreaks.com/topic/257063-security/#findComment-1317843
Share on other sites

This is the same idea as writing your own contract. Yeah, you may hit the major points, but a well paid lawyer will probably be able to rip it to shreds. Is the couple hundred bucks to hire a lawyer worth less than going bankrupt when you get sued later on?

Link to comment
https://forums.phpfreaks.com/topic/257063-security/#findComment-1317884
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.