0

I'm coding my first php/mysql site and realize that I know very little about security beyond what I learned in my course/book. How much security knowledge do I need before I can publish my own site without being concerned that achieving even modest success will draw hackers and lead to my site being broken into?

If it helps with more specifics, I'm creating a site that will allow users to add plain text content, as well as browse what others have added. The text is meant to be stored in a db.

gabrielg
  • 19
  • 3
  • "How to secure my web application" is to large of a scope to answer. Basics: use prepared sql statements, don't use a quick hash to store a password, use `bcrypt` or similar. – Jon Feb 12 '13 at 12:33
  • 1
    Firstly you should head over to https://www.owasp.org/index.php/Category:Attack if you are reading from a course/book then your are most likely vulnerable to something (SQL injection, XSS) as most of them books do not implement security as it can confuse a learner. – Lawrence Cherone Feb 12 '13 at 12:34
  • @Jon what is a quick hash as opposed to a non-quick hash? I was thinking to use sha-512 from what I read. Should I use bcrypt instead and if so, can you explain why, please? – gabrielg Feb 12 '13 at 17:39
  • @LawrenceCherone I read some of those articles now, so thanks for sharing. It teaches about a variety of attacks, n I don't know how many nor which are relevant for me to build protections against. For example, the man-in-the-middle attack is based on LAN vulnerability, and outside my control, if I understood correctly. – gabrielg Feb 12 '13 at 17:41
  • @gabrielg using a quick hash (ie, any true 'hash' method, including sha-512) is easy to replicate with computer's now. bcrypt offers a solution that both salts the password and is slow. For more reference look at: http://phpmaster.com/why-you-should-use-bcrypt-to-hash-stored-passwords/ and http://problog.jon-lawrence.com/2012/08/a-little-about-passwords/ – Jon Feb 13 '13 at 01:55

4 Answers4

3

You cannot know everything, so it depends on what possible attack vectors your code has and what the risks are.

Ask yourself:

this list is not complete but should cover the most common use cases for simple web applications and their security threats

Regarding risk:

As soon as you handle sensible personal data of users or host the site on your own virtual server, you have additional responsibilities because the worst case is not anymore just that your site could be broken, but private data could be exposed, your server could transform into a spambot or worse.

The most important rule is: DON'T TRUST ANY INCOMING DATA

An extension to this rule, important for beginners: Use exactly the measures that fit the current context. DO NOT JUST THROW EVERYTHING AT THE USER INPUT THAT YOU KNOW AND HOPE IT WILL BE MORE SECURE, this is counterproductive! I often see questions like: "Is my application secure if I use addslashes(mysql_real_escape_string(strip_tags(htmlspecialchars()))) on all my $_POST variables?" - if you even consider this a valid approach, you have a serious misunderstanding of how security regarding user input works. I repeat: what's secure and what not, always depends on the context!

A great resource to learn from is the Open Web Application Security Project

Community
  • 1
  • 1
Fabian Schmengler
  • 24,155
  • 9
  • 79
  • 111
  • Fab that was excellent and helps me understand what direction to go with my learning. I really really appreciate the time you took to write out all that detail and if I could vote up your answer I would! I especially like the If 'issue' then learn 'solution' format! – gabrielg Feb 12 '13 at 19:20
2

It's never enough. But you will hopefully keep improving. And probably when you'll be ready, you'll know yourself.

Learn the most common security issues, such as:

  • Sql Injections
  • Form spoofing
  • XSS

and remember to:

  • always valide user input (including sessions)
  • block access to folders that shouldn't be public
  • to use blowfish instead of md5/sha1 for passwords
  • hide errors to the end user (and log them)

Also take a look at this guide which sums up the most famous security problems.

Shoe
  • 74,840
  • 36
  • 166
  • 272
  • Jeffrey that was really useful - a clear answer to where I should direct my attention. I can't yet vote up answers but I'd vote yours up if I could. Thanks for helping a newb! Also, that guide is excellent - I'm very grateful for the link! – gabrielg Feb 12 '13 at 17:54
1

Take a look into SQL injections and XSS. It is all in validating a users input. Never trust a user.

SQL Injections

XSS

Last the best way to learn is suffer from an attack because of bad security. Then you understand how it works. Just one tip, make backups.

s.lenders
  • 1,119
  • 6
  • 21
0

The most critical in your website would be that the users can provide text to your database. Read this question here on stackoverflow for a good answer on how to prevent sql injection. How to prevent sql injection in php

Community
  • 1
  • 1
Kim Kling
  • 751
  • 4
  • 5
  • Yeah, good point - we discussed sql injections in class, so I'll look into these more as you and s.lenders pointed out! Thankyou for helping me! – gabrielg Feb 12 '13 at 17:56