Re: Securing user table with sha function

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Haydar Tuna wrote:
> 1) If you protect your site from SQL Injection, you must replace all quote 
> and blank character in your form data. (with string functions)

A better approach is data inspection.  For example, if you know a field
should only ever contain letters, you can use ctype_alpha() to confirm
that.  Since alpha characters would never create a script injection, you
don't even need to do anything further with it.

If you need to allow dangerous characters, use an appropriate escaping
algorithm.  I work with MySQL all the time, so I use the
real_escape_string() method of the mysqli object when necessary.

The conceptual key to writing secure applications is understanding that
ALL input is tainted (i.e. potentially dangerous).  This includes the
results of database queries.  Your PHP application has no way to know
the data coming out of the database is positively safe.  Using
inspection and escaping as appropriate, you transform tainted data into
safe data.  I will often do so this way:

$mysql = array();
if (isset($_POST['firstName']) && ctype_alpha($_POST['firstName']))
	$mysql['firstName'] = $_POST['firstName'];
if (isset($_POST['comments']))
 	// $database holds a mysqli object
	$mysql['comments'] = $database->real_escape_string($_POST['comments']);

>From this point onward in my application, all operations work with the
values in the $mysql array, because I have either confirmed it as safe
or escaped it appropriately.


> 3) if comparing passwords are true, then you must use session variables for 
> username

You don't have to, but it's generally convenient to do so.  You should
be aware of session hijacking and place safeguards in the session data,
such as checking IP and/or user agent.


> 4) if user forget his or her password, you can send email to the user when 
> the user answer password protected question.

Kinda impossible if the password is hashed, isn't it?  What a strange
thought, though.  I guess all those sites with password reminder
functions have the password stored in plain text somewhere.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux