Sign in to follow this  

[web] Secure Small Business Site possible using PHP?

This topic is 4731 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hey guys! My first topic in this forum [smile]. Anyways, I was wondering if the basics of PHP is secure enough to use for a small business webpage that will offer to sell products. As of now, I have seen quite a few ways to make a admin login and password system with PHP - I am making my own, but as the way PHP is, you cannot view the source. So, basically I would like to know on its own, is the $password == "somepass" method reliable and secure enough for a small business site - one that probabally not generate much attention nor traffic? Of course the password is not going to be hardcoded into the file. Any feedback, tips, questions appreciated from your experiences. Thanks! - Drew

Share this post


Link to post
Share on other sites
Yes, php is safe enough to use on business sites and is used in many.
$password = 'foobar'; is safe, but I assume you will be doing it out of the database.
If so, you will need to find authentic hacker sites and security sites talking about how to protect yourself from sql injections. The best article I found was by the hacker who had found the hole that the phpbb group just patched.
Well thanks to the phpbb group herassing the girl her site is now down for good. :(
Great tutorials on the subject are at www.hackthissite.org.







Did I help you? Rating++

Share this post


Link to post
Share on other sites
Thank you for your response! Well I don't want you to think me crazy but heres the thing - I do not want to use any databases for this site. Everything will be done with text files - no SDL, Access, ODBC, etc... .With that said, would you still say that it is safe enough? I have reasoning behind it all and a rather nice idea of how I'm going to get everything to work - but I would like some general feedback to start with. Today I bought a book, "Hack Proffing your E-Commerce Site", so I will definitly read that as well. Thanks for your time!

- Drew

Share this post


Link to post
Share on other sites
As long as the text file is secure with read, write, and execute all properly set, than you are basically using a homebrew database.

Your question is very difficult to answer: php will be as secure as you use it to be. I mean, it wont really matter if you can or cannot see PHP files if you forget to set your permissions correctly, and people are HTTP GETting your php files, will it?

I would personally never use the phrase "reliable and secure enough for a small business site" -- you should be using the software and techniques developed for the large sites. Smaller sites are the targets of more hacker attacks (who in their right mind would go after Microsoft? But someone else ... smaller, using unsecure microsoft products? Why not?) Do not make the mistake of assuming your are "secure enough" because you are a small site. Being a small site, you are a huge target. Hackers thrive off of small businesses, because they do not have the resources that a big business would have to hunt them down.

Just some words of caution.

Share this post


Link to post
Share on other sites
Thank you! I totally agree with what you are saying - that's kind of what I meant by secure enoough - from all those scrip kiddies [wink]! Anyways, yes I will have to make sure about those permissions - that'd be like running a marathon and tripping on your feet before you cross the finish line.

The reason I am basically modeling this site not towards larger models is simply beacuse it is my first and is more of an experiment to see how it all goes. A friend wanted me to make him a dynamic site that he can easily use to manage/sell a few things as a side to using ebay. Because it is not gaurnteed it will be used - I am modeling something plain, simple, cost efficent, yet powerful. There are tons of little catches I had to work in, but I think it will go well! Thank you for your time and responses!

- Drew

[Edited by - Drew_Benton on May 25, 2005 9:58:53 PM]

Share this post


Link to post
Share on other sites
PHP is as secure as you make it.

If you follow all the guidelines (i.e. turn off anything dangerous, validate input, correctly escape output), it is perfectly secure.

Even the recent unserialize() bug didn't affect most properly written applications.

Turn off register_globals, magic_quotes, allow_fopen_url (unless you need it) etc. Validate everything on the way in, escape it on the way out, and ensure your permissions checks are done at the right time. Proper code reuse makes these things easy!

Mark

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
SSL wouldn't help in any way either. SSL is useful for making sure that nobody else can peek at the data the users send to the site (while it's travelling somewhere on the internet), but it does nothing to protect the site from malicious users.

Share this post


Link to post
Share on other sites
Quote:
Original post by Anonymous Poster
SSL wouldn't help in any way either. SSL is useful for making sure that nobody else can peek at the data the users send to the site (while it's travelling somewhere on the internet), but it does nothing to protect the site from malicious users.


True, but when used in conjunction with the other methods already suggested it'll add extra security to the transport of the data. As you say though, using SSL would do nothing to stop people brute forcing passwords or other means of exploiting the server or code.

Share this post


Link to post
Share on other sites
Quote:
Original post by markr
PHP is as secure as you make it.

If you follow all the guidelines (i.e. turn off anything dangerous, validate input, correctly escape output), it is perfectly secure.

Even the recent unserialize() bug didn't affect most properly written applications.

Turn off register_globals, magic_quotes, allow_fopen_url (unless you need it) etc. Validate everything on the way in, escape it on the way out, and ensure your permissions checks are done at the right time. Proper code reuse makes these things easy!

Mark


Thanks for that! Do you know off th top of your head before I start googling any sites that tell all the other main things you should disable?

Quote:
Original post by evolutional
Quote:
Original post by Anonymous Poster
SSL wouldn't help in any way either. SSL is useful for making sure that nobody else can peek at the data the users send to the site (while it's travelling somewhere on the internet), but it does nothing to protect the site from malicious users.


True, but when used in conjunction with the other methods already suggested it'll add extra security to the transport of the data. As you say though, using SSL would do nothing to stop people brute forcing passwords or other means of exploiting the server or code.


If possible, I will need the use the SSL - but only two people will actually know of the specific login page - myself as well as the client who this is for, and I am not going to make it some "login.php" name either, so I am not too worried about someone trying to brute force their way in. I'm not saying that I want others to get acces, but I can add additional features.

Thanks for all your replies! They aer much appreciated!

- Drew

Share this post


Link to post
Share on other sites
My client had a static IP address (most DSL and cable connections do) so I used a .htaccess file with:

Deny from all
Allow from 1.2.3.4
Allow from 5.6.7.8

where 1.2.3.4 is the IP address of the client and 5.6.7.8 is mine.

I also made an PHP include file which went like this:

$valid_ips = array("1.2.3.4", "5.6.7.8");
if (!in_array($_SERVER['REMOTE_ADDR'], $valid_ips))
exit();

just in case the htaccess didn't work. Combining this with a simple password system makes it pretty secure.

Share this post


Link to post
Share on other sites
Quote:
Original post by kanzler
My client had a static IP address (most DSL and cable connections do) so I used a .htaccess file with:

Deny from all
Allow from 1.2.3.4
Allow from 5.6.7.8

where 1.2.3.4 is the IP address of the client and 5.6.7.8 is mine.

I also made an PHP include file which went like this:

$valid_ips = array("1.2.3.4", "5.6.7.8");
if (!in_array($_SERVER['REMOTE_ADDR'], $valid_ips))
exit();

just in case the htaccess didn't work. Combining this with a simple password system makes it pretty secure.


That's a great idea - but if the client's ip changes then it will not help much - so based on that is it possible to use another identifying mark of the computer - ie my host name is: adsl-X-X-X-X.dsl.hstntx.swbell.net - is there any way to obtain this programmatically? Then I could check the ip first and it it does not match, I could check the adsl-_-_-_-_.dsl.hstntx.swbell.net and see if it matches something in an array. Thanks for the ideas!

[Edited by - Drew_Benton on May 25, 2005 9:24:09 PM]

Share this post


Link to post
Share on other sites
Quote:
Original post by Drew_Benton
is it possible to use another identifying mark of the computer - ie my host name is: adsl-X-X-X-X.dsl.hstntx.swbell.net - is there any way to obtain this programmatically?

Use the PHP function gethostbyaddr($_SERVER['REMOTE_ADDR']) to obtain the host name. You can also add 'Allow from adsl-X-X-X-X.dsl.hstntx.swbell.net' to your .htaccess file.

Share this post


Link to post
Share on other sites

This topic is 4731 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this