Thanks for your replays,
but could any of you give some codes of validating a form field, for example, getting the first name field text and inserting it to the database
at this line:
$firstName=$_POST('fname');
which functions of PHP I should use here to put $_POST('fname') on to remove tags from it, and prevent other security-related attacks?
And if I used pg_query( , ) is it be safe if I don't use PDO? how it be safe.
And If anyone needs to learn PHP, which website is good to provide non-copyrighted codes? while PHP manual codes are copyrighted so what's the benefit of reading the manual without using the codes they provide?
On Thu, Jun 25, 2020 at 9:51 AM Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote:
On June 24, 2020 11:36:15 PM UTC, Kevin Waterson <kevin.waterson@xxxxxxxxx> wrote:
>The best way to learn, is to start coding, and ask lots of questions.
>There are plenty of sites on the web which provide shitty code.
>DO NO COPY AND PASTE.
>While the urge to simply copy somebody's code, and paste it into your
>application is inviting, this practice only leads to heartache and
>tears.
>You are certainly on the right tract when asking about security. While
>you
>can write insecure code in any language, PHP perhaps lowers the bar in
>this
>regard.
>As you question relates to database, let's start there.
>PHP provides PDO for database operations, and allows variable binding
>and
>prepared statements.
>Prepared statements are great for stopping SQL injection, but this is a
>last stop.
>The real question is, Why would you send data to a database query
>without
>being sure of the type and length of the data you are sending.
>Validation:
>Everything coming from userland (eg: a website) should be regarded as
>insecure.
>Sure, you can put some HTML5, or _javascript_, validations on an email
>address, but changing the form type from "email" to "text" is a trivial
>task.
>To be absolutely sure of the content of input, you must create you own
>validations.
>How long can this address be? eg: If the email is being stored in a
>VARCHAR
>field, then 255 would be the max length.
>It must also contain a "@" character.
>It must end in ".something"
>These validations must be performed BEFORE you send the email address
>to
>the database.
>
>I, and many others here, are happy to answer your questions, and it
>sounds
>like you are beginning at the right place.
>
>Kev
>
>On Thu, Jun 25, 2020 at 6:56 AM Ashkar Dev <ashkardev@xxxxxxxxx> wrote:
>
>> Hi all,
>> could anyone give some detail about how to make a PHP web application
>> secure?
>> for example validation of form while using a PostgreSQL database,
>>
>> by the way, could you explain how users can freely learn PHP while
>the
>> codes from the PHP website are copyrighted, are developers be able to
>use
>> codes from the PHP website or manual?
>>
To add to the security question, have a look at the OWasp top 10 (https://owasp.org/www-project-top-ten/ ) and things like the PHP security advent calendar (https://blog.ripstech.com/2018/php-security-advent-calendar/ )
Thanks,
Ash