#1 By: webmaster Subject:How to keep your website Secure Time: 27.Aug.06 05:01:30
A rather obvious security breach is if the attacker gets hold of the user-ID/password combination that you use to login to the webserver and edit the web application. Therefore, keep your password non-trivial and safe. The latter is difficult if you use un-encrypted data-transfer protocols such as FTP. A malicious person could potentially capture your password by eavesdropping on the network. SFTP, FTP over SSL, or WebDAV over SSL are more secure alternatives.
While on the topic of passwords... Make sure to hide your database password. It is quite easy to accidentally expose vital database connection information by putting it in a PHP script. If, for some reason (e.g. wrong file extension), the webserver does not execute your PHP script, it may arrive in cleartext at the user, exposing passwords and other "useful" information.
Less obvious are vulnerabilities due to the way the web as a whole and PHP in particular functions. It is quite easy to accidentially write insecure PHP code (the same is true in varying degrees for other technologies such as Java, ColdFusion or ASP).
One feature that makes PHP well-suited for beginners is the automatic registration of POST/GET/Cookie/Environment variables. If your webserver's PHP installation enables the option register_globals then PHP automatically creates variables with names matching those of your HTML form elements. For example, you could use $phone without having to first get its value assigned from $_POST['phone']. While this is handy it also creates some security risks (as you can read about in the documentation to register_globals). Therefore, whether or not your webserver enables this directive, you should always explicitly initialize variables at the beginning of your PHP script, e.g. $authorized = false;. Also, in order to ensure that your PHP code runs on any other webserver (you may switch servers at some point), you should stick with explicitly assigning form variables, e.g. $phone = $_POST['phone'].
An even bigger danger to the integrity of your data are un-checked user inputs. Do not trust any user input - check all inputs. This includes forms inputs (post/get method), parameters that are passed via a hyperlink link (get method), browser cookies, and even automatically-assigned (and fake-able) environment variables such as browser-ID or referer information. If you want a user to enter a ZIP code then validate the input you receive from the form before you store it in your database (you could check easily whether the input is a number between 10000 and 99999). Input validation not only protects you from risks such as cross-site scripting (a risk to your users) or SQL injection (a risk for your data) but also helps users catch mistakes.