Security?

[nealec]

I have nearly finished a website that i am making for my local community, they will be registering on the site and i am wandering what sort of security for the site i should be thinking about. I just dont want someone out there doing something to cause problem with the site and ruining it for everyone else.

[KevinM1]

Do you have any forms?  Allow users to upload files?  Use a database?  It's difficult to recommend a course of action without knowing specifics.

[nealec]

Sorry, yes they will be entering their email, passwords, names, username, phone numbers and uploading photos using multiple forms and it will all be inserted into a mysql database.

[KevinM1]

Okay, so have you done anything to secure your data at this point, or are you looking for guidance from step 1?

[nealec]

Step 1 im afraid,  i have had a very quick look at this sort of thing and have come across such things a SHA1 and SQL Injection but have no real idea what they are or how to implement them.

[nealec]

Sorry to go off subject for a second but i just had a look at the link you provide about not using w3schools, which im afraid i have been unaware that they were not correctly advising people. the w3fools page lists a few good links for html, css, and javascript but there doesnt seem to be any for php, do you know of any?

[scootstah]

PHP Freaks

Tizag

Devshed

 

CSS Tricks is pretty nifty too.

 

As for your original post. There are many aspects of web security. It would take a long time to start telling you all of them. Instead, you need to figure out what your script will be doing and start locking it down from there. For example, you are making a community site. This means you will likely have a login system, member profiles, user-generated content, etc. So it looks like you will have a lot of untrusted user input. With ALL user input, you should do at least the following:

- sanitize it for database interaction. You can either do this by escaping problem characters (like mysql_real_escape_string) or by using prepared statements (the better choice).

- sanitize for XSS attacks. This can be done either on input, or output, but if user content is going to be displayed somewhere on your website it must be done either way.

 

Those are the two biggies. Along with that, you'll want to make sure the data entered is what you are expecting.

[KevinM1]

Generally, there's two sides to handling data:

 

1. Validation - is the incoming data valid?  Does it fit the basic criteria I'm looking for (e.g., does the phone number field actually contain numbers)?  Validity depends entirely on what your site does, what you expect data to be, what should be allowed, what shouldn't, etc.  In other words, while there are ways to validate incoming data, the actual methods you use are wholly dependent on what you consider represents validity.

 

2. Sanitation - like scootstah says above, sanitation is about actual security.  Making sure the database isn't compromised, that user-supplied data doesn't effect other people negatively, etc. 

 

Escaping string (text) data before using it in a SQL query is a must, so use mysql_real_escape_string, or, better yet, prepared statements from MySQLi or PDO.

 

For cross-site scripting (XSS) attacks, turn any potential submitted HTML and/or JavaScript into entities with htmlentities.

 

For images, read through this thread: http://www.phpfreaks.com/forums/index.php?topic=353735.0

 

That should get you started.

[nealec]

Ok great thankyou both for the info. Before i go can you tell me how important pages like terms and conditions and privacy are for this kind of site because i have never used them before but it feels like something i will need for a site that my whole community will hopefully be using. Am i at risk of any kind of legal action if i dont have these pages?

[kicken]

Am i at risk of any kind of legal action if i dont have these pages?

 

You're better off asking a lawyer that question.  I would say possibly.  Also if you do set some up it may be worth having a lawyer write them up to ensure they are valid and cover all your bases.

 

edit:

If you don't care too much, you could probably just throw a "Use this site at your own risk, we are not responsible for anything" claim up.  May deter your users some though.  Could work til you get something more official in place though.

[nealec]

OK it looks like that may unfortunatley be my only option for now but id rather not put anything up thats going to deter people as the site i am making will be more useful to the people in my area if it has the maximum amount of registered users, and i am not being payed to make this site and its not going to make me any money its just something i wanted to do so i cant really afford to pay a solicitor (I live in UK) to write these pages for me.

 

Is there any kind of guides or templates that you know of that may be of any use? 

[kicken]

Is there any kind of guides or templates that you know of that may be of any use? 

 

Not that I am aware of.  There probably are some pre-written ones out there you could use.  You could also go to a site that functions similarly to yours and copy then modify theirs and that would probably be good enough, for now anyway.

 

[nealec]

I dont really know of any sites like the one im making thats why i thought i should make on, but while looking around i did come across this but as i haver never even read a terms and agreements page let alone wrote one most of goes straight over my head so im lost as to what i would do with it.

 

http://www.businesslink.gov.uk/bdotg/action/detail?itemId=1076142035&type=RESOURCES

[nealec]

Oh sorry ignore the last post the link seems to be for sample terms and conditions page for a completley different type of site, my mistake.

[scootstah]

This is the same idea as writing your own contract. Yeah, you may hit the major points, but a well paid lawyer will probably be able to rip it to shreds. Is the couple hundred bucks to hire a lawyer worth less than going bankrupt when you get sued later on?