On 8 August 2011 15:08, Jen Rasmussen <jen@xxxxxxxxxxxxxxxx> wrote: > Hello all, > > > > I am currently researching security best practices/methods. Can anyone offer > any current resources/recommendations? > > My research thus far has included password hashing with salting/stretching, > session hash defaults, session management & authentication, and prepared > statements via PDO in addition to basic PHP.ini and .htaccess server > settings and properly escaping and validating input/output. Best practise can change as new threats and forms of attack become prominent. So. At the top of this list, I'd add "This is list is subject to change". Anything you to today may well be circumvented tomorrow. But the principle of Poka-Yoke does suggest that by only allowing valid and appropriate data in to your code, you are drastically reducing the attack vectors. I work in a multi-database and multi-DB Server environment. Nearly/almost always, I use stored procedures rather than building complex queries in PHP. I only allow me and users in the development team direct access to the tables. So, for the application to alter the DB, a stored procedure is written (my apps are accounting related so maybe some flexibility has been sacrificed - but the security is very strong). I use Views either to simple result sets or to XML results depending upon the requirement - again - no access to the underlying tables. The user credentials used for connecting to the DB is different to other user details and it is forced to a specific machine. All this sort of thing is setup once and done. It makes it very difficult for anyone to be able to fake the credentials, gain access to the DB tables or inject data outside of the constraints provided by the stored procedures. -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
