How do I make my site secure?

[johnnyk]

I'm gonna start work on a website soon. It's gonna involve a good amount of people interacting with a DB (logging in, adding comments, voting, what not). I'm gonna write the site in PHP/MySQL.

 

The only thing is that I've never made a website with this much DB interaction before and I'm worrying that it won't be secure. Does anyone have any suggested reading for someone who is an intermediate PHP/MySQL programmer but knows almost nothing about security?

[Fergusfer]

Essential PHP Security (Chris Shiflett, O'Reilly)

ISBN: 0-596-00656-X

 

The first thing you should understand is the concept of "tainted" data.  This is well-explained in that book, but in a nutshell: if you don't create the data in your PHP application, you should assume the data is an attack until you have successfully verified it is safe or rendered it neutral.  You definitely need to understand script and SQL injection attacks and how data inspection and filtering are used to protect your application and data.  This is covered in Essential PHP Security, as well as other topics, such as session hijacking.