PHP Security - Best/common practice

[tsuby]

I'm new to the PHP scene and I want everything I do to be perfectly(?) secure in terms of hackability. Could any of you be so kind to point me somewhere where I can take the steps necessary for learning to do so? 

Or just do a resume of the most common practices.

 

The only site security practices that I am aware of are using mysql_real_escape_string, html_entities and strip_tags and I'm not totally sure when you are supposed to use those.

 

Any other advice would be much appreciated!

Edited June 28, 2013 by tsuby

[KevinM1]

Security is a rather broad topic, and a lot of it depends on what a site's functionality is (or is supposed to be).  So, a better way to get help would be to tell us what you're trying to build, and then we can address those particular concerns.

 

That said, I will say that you should not use any of the old mysql_* functions.  They're soft deprecated, and no longer represent best practice.  Instead, use either MySQLi if you're certain your project will only use a MySQL database, or PDO as your database handler.

 

Another general tip: since you're just starting out, if you use a resource or see a tutorial that has code like this:

function blah()
{
    global $x;
 
    // ... other code
}

Toss it out/ignore it/set it on fire.  Use of the 'global' keyword is a bonafide symptom of doing things wrong, and any tutorial or resourse that uses it should be considered suspect.

[tsuby]

Hey, thanks for the reply!
I said I'm a newbie with PHP, not with coding in general. I can handle my stuff, if I can say so.    I have been using the mysqli functions, I just wrote "mysql" in the previous post. 

 

At the moment, I'm building some kind of blog from scratch. That means some forms for adding the articles and editing them(those are already only accesible by login that eventually goes through to an admin panel) and the comments interface that the users can use(this one I have not thought it through yet, but it doesn't seem to be hard).

 

I am aware that I must do my best to filter EVERY user input, but that's basically all I know about security. I would like to go more in depth and learn more and more on this topic as I think it's extremely important if you want to make some money out of it.

Edited June 28, 2013 by tsuby

[KevinM1]

Well, again, it depends on what you want to do.  For example, with user comments, you'll likely want to either use strip_tags if you don't want HTML, or htmlentities if you do, but in a readable/non-executable format.  You'll need to learn how to safely secure a user's credentials (protip: any resource that recommends MD5 as a hash algorithm should be avoided).  Anything beyond that is, again, up to the particulars of your project.*

 

*I'm not trying to be difficult, but we generally answer specific questions about code or application design.  That allows us to give good answers without playing the inevitiable

 

"I'm not doing that, but rather this"

"Why didn't you say that before?"

"I thought it was obvious/you didn't read it correctly"

"Yes I did"

"No you didn't"

 

game.

 

For *AMP security, there's a book titled Pro PHP Security by apress ( http://www.amazon.com/Pro-PHP-Security-Application-Implementation/dp/1430233184/ref=sr_1_2?ie=UTF8&qid=1372464328&sr=8-2&keywords=Pro+PHP+Security ) that's a pretty decent primer.

[tsuby]

Ok, got it. Thanks!