Re: PHP Security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On June 24, 2020 11:36:15 PM UTC, Kevin Waterson <kevin.waterson@xxxxxxxxx> wrote:
>The best way to learn, is to start coding, and ask lots of questions.
>There are plenty of sites on the web which provide shitty code.
>DO NO COPY AND PASTE.
>While the urge to simply copy somebody's code, and paste it into your
>application is inviting, this practice only leads to heartache and
>tears.
>You are certainly on the right tract when asking about security. While
>you
>can write insecure code in any language, PHP perhaps lowers the bar in
>this
>regard.
>As you question relates to database, let's start there.
>PHP provides PDO for database operations, and allows variable binding
>and
>prepared statements.
>Prepared statements are great for stopping SQL injection, but this is a
>last stop.
>The real question is, Why would you send data to a database query
>without
>being sure of the type and length of the data you are sending.
>Validation:
>Everything coming from userland (eg: a website) should be regarded as
>insecure.
>Sure, you can put some HTML5, or javascript, validations on an email
>address, but changing the form type from "email" to "text" is a trivial
>task.
>To be absolutely sure of the content of input, you must create you own
>validations.
>How long can this address be? eg: If the email is being stored in a
>VARCHAR
>field, then 255 would be the max length.
>It must also contain a "@" character.
>It must end in ".something"
>These validations must be performed BEFORE you send the email address
>to
>the database.
>
>I, and many others here, are happy to answer your questions, and it
>sounds
>like you are beginning at the right place.
>
>Kev
>
>On Thu, Jun 25, 2020 at 6:56 AM Ashkar Dev <ashkardev@xxxxxxxxx> wrote:
>
>> Hi all,
>> could anyone give some detail about how to make a PHP web application
>> secure?
>> for example validation of form while using a PostgreSQL database,
>>
>> by the way, could you explain how users can freely learn PHP while
>the
>> codes from the PHP website are copyrighted, are developers be able to
>use
>> codes from the PHP website or manual?
>>

To add to the security question, have a look at the OWasp top 10 (https://owasp.org/www-project-top-ten/ ) and things like the PHP security advent calendar (https://blog.ripstech.com/2018/php-security-advent-calendar/ )
Thanks,
Ash




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux