 |  |  |  |  |  |  |  |
security concerns
Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases
 |
how secure are php codes/scripts when they are deployed in a server (or when they become online)? if i put constants and/or passwords in my php codes, will they be visible and be 'sitting duck' targets for hackers?
Your script can be as secure or insecure as you want.
Generally, the end user would not see constants or any of the actual code as this is executed on the server. All the end user should see is the output of any functions in your script.
If you are worried that a function may output some important data, use an @ symbol before it to suppress the standard errors:
Or better, add error handling into your code to make sure that if an error occurs then you have a specific response for it.
Generally, the end user would not see constants or any of the actual code as this is executed on the server. All the end user should see is the output of any functions in your script.
If you are worried that a function may output some important data, use an @ symbol before it to suppress the standard errors:
@mysql_connect("...", "...", "..."); Or better, add error handling into your code to make sure that if an error occurs then you have a specific response for it.
AJAX is not a programming language, scripting language or any other sort of language.
It is acheived by using JavaScript http functions.
So, AJAX = JavaScript.
It is acheived by using JavaScript http functions.
So, AJAX = JavaScript.
•
•
Join Date: Aug 2007
Posts: 801
Reputation: 
Solved Threads: 110
Practically a Posting Shark
Also, make sure that you never send unencrypted passwords via GET as they will be visible in the URL. There are also hacking tools which allow the retrieval of POST data, so watch out for that too.
There are no stupid questions, only those too stupid to ask for help.
echo is a web developer's best friend. •
•
Join Date: Sep 2007
Posts: 1,518
Reputation:
Solved Threads: 136
•
•
•
•
Originally Posted by darkagn 
Also, make sure that you never send unencrypted passwords via GET as they will be visible in the URL. There are also hacking tools which allow the retrieval of POST data, so watch out for that too.
php Syntax (Toggle Plain Text)
Try not to bump 10 year old threads as it can be really annoying.
http://syntax.cwarn23.net/
My favourite PC. - MacGyver Fan
http://syntax.cwarn23.net/
Smilies: ^_* +_+ v_v -_- *~*` My favourite PC. - MacGyver Fan
•
•
Join Date: Jun 2007
Posts: 1,227
Reputation:
Solved Threads: 167
•
•
•
•
Originally Posted by cwarn23
Even better yet, use javascript to encrypt the passwords before sending it over $_POST. This way if the post data is hacked the data is still encrypted. This sort of hack attack can happen when a hacker attaches a device to a fiberoptic cable to scan data running past. Also as a security question, is there any security difference between the following two codes because a tutorial years ago told me there was but find hard to believe.
Those are the two scripts but the tutorial (I forget where) says the second script should be more secure although I don't see how. And it was also said in the tutorial that it would be even more secure to place the variables in an include() file. Is that true or just a myth?php Syntax (Toggle Plain Text)
Also,
Passwords should always be hashed, no matter what.
If you are sending info that you wouldn't want intercepted you should be on a secure connection (https) using a ssl certificate. The day rsa keys are able to be decoded is the day the world collapses.
The company I work for forces us to use ssl for user login, members areas and registrations. You should do the same, if you can afford it.
If you are wanting to store credit card info or ssn numbers, don't. If you must then you will need a virtual private server and heavy encryption. There are laws for this stuff.
Google is your friend.
Use [code] tags.
If you have found a solution to your problem, please mark the thread as SOLVED.
Use [code] tags.
If you have found a solution to your problem, please mark the thread as SOLVED.
•
•
Join Date: Jun 2007
Posts: 1,227
Reputation:
Solved Threads: 167
[EDIT] Duplicate post somehow
Last edited by kkeith29; Sep 11th, 2009 at 5:22 am.
Google is your friend.
Use [code] tags.
If you have found a solution to your problem, please mark the thread as SOLVED.
Use [code] tags.
If you have found a solution to your problem, please mark the thread as SOLVED.
•
•
Join Date: Sep 2005
Posts: 1,082
Reputation:
Solved Threads: 66
•
•
•
•
Originally Posted by cwarn23
Even better yet, use javascript to encrypt the passwords before sending it over $_POST. This way if the post data is hacked the data is still encrypted. This sort of hack attack can happen when a hacker attaches a device to a fiberoptic cable to scan data running past. Also as a security question, is there any security difference between the following two codes because a tutorial years ago told me there was but find hard to believe.
Those are the two scripts but the tutorial (I forget where) says the second script should be more secure although I don't see how. And it was also said in the tutorial that it would be even more secure to place the variables in an include() file. Is that true or just a myth?php Syntax (Toggle Plain Text)
•
•
•
•
Very true. All sensitive data should be stored above the web root.
It is very useful to practice this. Not just to remove the possibility of the HTTP server accidentally serving the file as text, but also to disable remote access of the PHP files in an order not intended.
Imagine having an index.php where you want all requests to be made. Then you have page2.php
On this page you have some variables that should have already been defined. If page2.php was accessed directly from the web, instead of through index.php then you have unintended behavior.
www.fijiwebdesign.com - web design and development and fun
Cpanel Email - Let users Register email accounts on your website upon registration
Ajax Chat - Fully browser based chat!
Cpanel Email - Let users Register email accounts on your website upon registration
Ajax Chat - Fully browser based chat!
•
•
Join Date: Sep 2007
Posts: 1,518
Reputation:
Solved Threads: 136
•
•
•
•
Using JavaScript to encrypt passwords is not something I'd recommend.
•
•
•
•
I think you meant below the web root?
php Syntax (Toggle Plain Text)
Last edited by cwarn23; Sep 11th, 2009 at 11:02 pm. Reason: spelling
Try not to bump 10 year old threads as it can be really annoying.
http://syntax.cwarn23.net/
My favourite PC. - MacGyver Fan
http://syntax.cwarn23.net/
Smilies: ^_* +_+ v_v -_- *~*` My favourite PC. - MacGyver Fan
•
•
•
•
Originally Posted by cwarn23
Well I think you mis-understood exactly what I meant. The process I was refering to was that javascript encodes the data first then php decodes it then php re-encodes the data.
I always browse in Firefox with NoScript enabled (which means JavaScript is disabled for untrusted or unknown sites)
Lets say I visit your site with Javascript off, I enter a password which is not encoded before sending, meaning that your PHP script will get an unencoded password and will try to decode it.
Also, if you are encoding with JavaScript, an unfriendly user would be able to see exactly what you are doing and could reverse it anyway.
As a rule of thumb, I use JavaScript to make things 'pretty' after I have completed a project. I would never rely on JavaScript to handle even the smallest part of the security on any of my sites.
AJAX is not a programming language, scripting language or any other sort of language.
It is acheived by using JavaScript http functions.
So, AJAX = JavaScript.
It is acheived by using JavaScript http functions.
So, AJAX = JavaScript.
|
Similar Threads
- PhpBB vs VBulletin (Social Media and Online Communities)
- News Story: Microsoft comes out fighting over XP mode security fears (Windows Software)
- Winsock Multi-Client Servers (C++)
- Check this out - Free PHP Security Videos (PHP)
- The Internets Biggest Security Hole (IT Professionals' Lounge)
- News Story: CIA admits hackers can control power grid online (Network Security)
- News Story: Online payment service relies on snail mail and a prayer data security (Network Security)
- Browser Battle -- Your TOP Pick! (Geeks' Lounge)
- RedHat Network Server (*nix Hardware Configuration)
Other Threads in the PHP Forum
- Previous Thread: foreach last element array
- Next Thread: Possible to post emails on webpages ?
| Thread Tools | Search this Thread |
Latest PHP Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
Tag cloud for PHP
.htaccess access ajax alerts apache api array beginner binary broken cakephp checkbox class cms code convert cron curl database date directory display download dynamic echo email error file files folder form forms function functions google hack href htaccess html htmlspecialchars image include insert integration ip java javascript joomla limit link login loop mail menu methods mlm mod_rewrite multiple mysql network object oop overwrite parse paypal pdf php problem query radio random recursion redirect regex remote script search securephp server sessions sms soap source space sql structure syntax system table tutorial update upload url validation validator variable video web xml youtube
