1

just like the title says, what are the most common security features of a php based membership system. A few I know:

  • mysql injections
  • secured connection
  • encrypted password(s) and other sensitive data.

What else?

dave
  • 14,991
  • 26
  • 76
  • 110
  • possible duplicate of [PHP Session Security](http://stackoverflow.com/questions/328/php-session-security) also see http://stackoverflow.com/questions/2119083/php-tutorial-that-is-security-accuracy-and-maintainability-conscious – Wrikken Aug 02 '11 at 21:54

7 Answers7

2

Authentication != Authorization is another one that comes to mind.

barfoon
  • 27,481
  • 26
  • 92
  • 138
2

An extensive list of attacks can be found here: https://www.owasp.org/index.php/Category:Attack

Some methods:

  • Abuse of Code Functionality (Bad Coding)
  • Data Structure Attacks
  • Embedding Malicious Code (XSS)
  • Exploitation of Authentications
  • Injections
  • Path Traversal Attacks (include($_GET['file']))
  • Protocol Manipulation
  • Resource Depletion (DOS/DDOS)
  • Resource Manipulation
  • Sniffing Attacks
  • Spoofing (COOKIES)
Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106
1

Minimal password requirements are a definite must. Also, use some type of CAPTCHA.

Richard Hoffman
  • 729
  • 3
  • 10
1

Here is a link that shows some important security issues:

link

Manuel
  • 10,153
  • 5
  • 41
  • 60
1

Not necessarily a security feature, but the user experience of the system should not be confusing. Most users have seen the uname/pword login form and some have seen OAuth/OpenId. Beyond that you enter a world where you need to ensure your intentions are clear.

rcravens
  • 8,320
  • 2
  • 33
  • 26
1

Some other things to think about:

  • Session security (How are session variables set? Can someone's session ID be stolen? Is session fixation possible?)
  • Are your forms protected against XSS?
  • Do you have any mechanism to prevent brute-force attacks, like locking out an IP address after X failed attempts? Do you need to keep track of who logs into a given account? (e.g., should you be notified if someone logs into an administrator account from an IP address in southeast Asia if your site is run solely by people who live in the US?)
Chris Hepner
  • 1,552
  • 9
  • 16
0

I made a small list of the most usual security problem seen in here : Historical security flaws of popular PHP CMS's?

It lacks the authorization != authentication problem barfon answered, all the anti spam protection you should have and I'm sure some other things I can't think of right now.

Community
  • 1
  • 1
Arkh
  • 8,416
  • 40
  • 45