On June 24, 2020 11:36:15 PM UTC, Kevin Waterson <kevin.waterson@xxxxxxxxx> wrote: >The best way to learn, is to start coding, and ask lots of questions. >There are plenty of sites on the web which provide shitty code. >DO NO COPY AND PASTE. >While the urge to simply copy somebody's code, and paste it into your >application is inviting, this practice only leads to heartache and >tears. >You are certainly on the right tract when asking about security. While >you >can write insecure code in any language, PHP perhaps lowers the bar in >this >regard. >As you question relates to database, let's start there. >PHP provides PDO for database operations, and allows variable binding >and >prepared statements. >Prepared statements are great for stopping SQL injection, but this is a >last stop. >The real question is, Why would you send data to a database query >without >being sure of the type and length of the data you are sending. >Validation: >Everything coming from userland (eg: a website) should be regarded as >insecure. >Sure, you can put some HTML5, or javascript, validations on an email >address, but changing the form type from "email" to "text" is a trivial >task. >To be absolutely sure of the content of input, you must create you own >validations. >How long can this address be? eg: If the email is being stored in a >VARCHAR >field, then 255 would be the max length. >It must also contain a "@" character. >It must end in ".something" >These validations must be performed BEFORE you send the email address >to >the database. > >I, and many others here, are happy to answer your questions, and it >sounds >like you are beginning at the right place. > >Kev > >On Thu, Jun 25, 2020 at 6:56 AM Ashkar Dev <ashkardev@xxxxxxxxx> wrote: > >> Hi all, >> could anyone give some detail about how to make a PHP web application >> secure? >> for example validation of form while using a PostgreSQL database, >> >> by the way, could you explain how users can freely learn PHP while >the >> codes from the PHP website are copyrighted, are developers be able to >use >> codes from the PHP website or manual? >> To add to the security question, have a look at the OWasp top 10 (https://owasp.org/www-project-top-ten/ ) and things like the PHP security advent calendar (https://blog.ripstech.com/2018/php-security-advent-calendar/ ) Thanks, Ash
