0

I recently started coding another website, the first one in 5 years. Before I was very familiar with using PHP/Javascript to code a website and its layout. Very seldom did I use it for user accounts(if so I had a friend code it), I only used it to store data for products for layout purposes.

At the moment, I will not be using SSL until I purchase a certificate.

So now i will use PHP to keep names, emails, addresses, phone numbers, etc. all stored on a database. I looked through hundreds of documentation and found nothing that is easy for me to understand since I barely remember anything but simple coding.

I did find a few step by step tutorials on making SQL injections and such but they date back to 2005. I'm looking for something much more recent.

Ideally, all I'm looking for is a great place to start (without starting a beginner php) to making a website secure with php when usling MySQL. For instance, password encryptions and such; along with calling and injecting to the database.

Thanks in advance.

EDIT

Thank you guys, I've been busy with work and I waited for an answer that will suffice. I didn't get quite what I asked for; probably my fault, however. I looked at proper documentation, but always just throw operators and little functions just like javascript in my face. I'm past that, I want unique functions that have a purpose and I'm unaware where to get those. they seem to be way too complex for me or just far too simple.

I thought about using openSSL but if I do recall I need to install it, that won't happen for the cheap hosting my client pays for. I told my client I was only familiar with this stuff and its best to go else where other than design, he didn't care how long it took. so now I have to learn this all over again quickly.

Improve this question
3
  • I suggest you ask over on Webmasters instead. SO is more for programming questions involving actual code. Please read the faq and How to Ask for more information. Commented Feb 26, 2012 at 23:46
  • @Jim: I think this would be more appropriate here, since the answers would involve code. Commented Feb 26, 2012 at 23:47
  • @icktoofay I guess I can see it either way, which is which I didn't downvote or closevote. Commented Feb 26, 2012 at 23:51

2 Answers 2

Reset to default
2
  1. Secure backend connections:
    If you want to secure the connection from a web server to the database server, you could use openssl to generate an SSL certificate and set up secure connections with the MYSQL_CLIENT_SSL flag in mysql_connect() like in this article
  2. Sanitize input:
    To prevent SQL injections, make sure that the input you use in queries, is actually the input you would expect, either through input validation based on input types, or by escaping metacharacters, like with mysql_real_escape_string()
  3. Password Hashing:
    Something as simple as one-way hashing, for example with SHA-1, can help you store user passwords in a more safe manner. Store password hashes, and then compare the stored hash with a hash of the password input during authentication.
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

About mysql_real_escape_string(). The easiest solution (for me at least) in the long run is to use PDO or similar to create prepared statements instead of relying on escape methods. Any decent library should take care of that part by itself, and you don't have to remember manually escaping and adding quotes if needed.
2

Prepared statements will pretty much completely protect you from SQL injection.

However I find they're a pain in the rear end to implement when all you really have to do is put the input through mysql_real_escape_string and make sure it's in quotes in the query so the would-be-hacker can't break out of the string.

Improve this answer

2 Comments

Or MySQLi, that also uses prepared statements
@Kolink I used to think so too, but once I got used to prepared statements I think they are easier to handle. Escaping variables clutters the code and you have to be careful so that you remember everyone. Another disadvantage is that it "ruins" the variables if you have to use them later in the function, so you end up with a special escaped duplicate of the variable to keep them separate. $statement->execute($query,array($name,$user,$email)) is a nice and compact way of doing this.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.