[web] Secure Small Business Site possible using PHP?
Author
Hey guys! My first topic in this forum [smile]. Anyways, I was wondering if the basics of PHP is secure enough to use for a small business webpage that will offer to sell products. As of now, I have seen quite a few ways to make a admin login and password system with PHP - I am making my own, but as the way PHP is, you cannot view the source.
So, basically I would like to know on its own, is the $password == "somepass" method reliable and secure enough for a small business site - one that probabally not generate much attention nor traffic? Of course the password is not going to be hardcoded into the file. Any feedback, tips, questions appreciated from your experiences. Thanks!
- Drew
Yes, php is safe enough to use on business sites and is used in many.
$password = 'foobar'; is safe, but I assume you will be doing it out of the database.
If so, you will need to find authentic hacker sites and security sites talking about how to protect yourself from sql injections. The best article I found was by the hacker who had found the hole that the phpbb group just patched.
Well thanks to the phpbb group herassing the girl her site is now down for good. :(
Great tutorials on the subject are at www.hackthissite.org.
Did I help you? Rating++
$password = 'foobar'; is safe, but I assume you will be doing it out of the database.
If so, you will need to find authentic hacker sites and security sites talking about how to protect yourself from sql injections. The best article I found was by the hacker who had found the hole that the phpbb group just patched.
Well thanks to the phpbb group herassing the girl her site is now down for good. :(
Great tutorials on the subject are at www.hackthissite.org.
Did I help you? Rating++
Author
Thank you for your response! Well I don't want you to think me crazy but heres the thing - I do not want to use any databases for this site. Everything will be done with text files - no SDL, Access, ODBC, etc... .With that said, would you still say that it is safe enough? I have reasoning behind it all and a rather nice idea of how I'm going to get everything to work - but I would like some general feedback to start with. Today I bought a book, "Hack Proffing your E-Commerce Site", so I will definitly read that as well. Thanks for your time!
- Drew
- Drew
As long as the text file is secure with read, write, and execute all properly set, than you are basically using a homebrew database.
Your question is very difficult to answer: php will be as secure as you use it to be. I mean, it wont really matter if you can or cannot see PHP files if you forget to set your permissions correctly, and people are HTTP GETting your php files, will it?
I would personally never use the phrase "reliable and secure enough for a small business site" -- you should be using the software and techniques developed for the large sites. Smaller sites are the targets of more hacker attacks (who in their right mind would go after Microsoft? But someone else ... smaller, using unsecure microsoft products? Why not?) Do not make the mistake of assuming your are "secure enough" because you are a small site. Being a small site, you are a huge target. Hackers thrive off of small businesses, because they do not have the resources that a big business would have to hunt them down.
Just some words of caution.
Your question is very difficult to answer: php will be as secure as you use it to be. I mean, it wont really matter if you can or cannot see PHP files if you forget to set your permissions correctly, and people are HTTP GETting your php files, will it?
I would personally never use the phrase "reliable and secure enough for a small business site" -- you should be using the software and techniques developed for the large sites. Smaller sites are the targets of more hacker attacks (who in their right mind would go after Microsoft? But someone else ... smaller, using unsecure microsoft products? Why not?) Do not make the mistake of assuming your are "secure enough" because you are a small site. Being a small site, you are a huge target. Hackers thrive off of small businesses, because they do not have the resources that a big business would have to hunt them down.
Just some words of caution.
Author
Thank you! I totally agree with what you are saying - that's kind of what I meant by secure enoough - from all those scrip kiddies [wink]! Anyways, yes I will have to make sure about those permissions - that'd be like running a marathon and tripping on your feet before you cross the finish line.
The reason I am basically modeling this site not towards larger models is simply beacuse it is my first and is more of an experiment to see how it all goes. A friend wanted me to make him a dynamic site that he can easily use to manage/sell a few things as a side to using ebay. Because it is not gaurnteed it will be used - I am modeling something plain, simple, cost efficent, yet powerful. There are tons of little catches I had to work in, but I think it will go well! Thank you for your time and responses!
- Drew
[Edited by - Drew_Benton on May 25, 2005 9:58:53 PM]
The reason I am basically modeling this site not towards larger models is simply beacuse it is my first and is more of an experiment to see how it all goes. A friend wanted me to make him a dynamic site that he can easily use to manage/sell a few things as a side to using ebay. Because it is not gaurnteed it will be used - I am modeling something plain, simple, cost efficent, yet powerful. There are tons of little catches I had to work in, but I think it will go well! Thank you for your time and responses!
- Drew
[Edited by - Drew_Benton on May 25, 2005 9:58:53 PM]
PHP is as secure as you make it.
If you follow all the guidelines (i.e. turn off anything dangerous, validate input, correctly escape output), it is perfectly secure.
Even the recent unserialize() bug didn't affect most properly written applications.
Turn off register_globals, magic_quotes, allow_fopen_url (unless you need it) etc. Validate everything on the way in, escape it on the way out, and ensure your permissions checks are done at the right time. Proper code reuse makes these things easy!
Mark
If you follow all the guidelines (i.e. turn off anything dangerous, validate input, correctly escape output), it is perfectly secure.
Even the recent unserialize() bug didn't affect most properly written applications.
Turn off register_globals, magic_quotes, allow_fopen_url (unless you need it) etc. Validate everything on the way in, escape it on the way out, and ensure your permissions checks are done at the right time. Proper code reuse makes these things easy!
Mark
Having the site run over SSL wouldn't hurt either as it encrypts traffic both to and from your website.
SSL wouldn't help in any way either. SSL is useful for making sure that nobody else can peek at the data the users send to the site (while it's travelling somewhere on the internet), but it does nothing to protect the site from malicious users.
Quote:Original post by Anonymous Poster
SSL wouldn't help in any way either. SSL is useful for making sure that nobody else can peek at the data the users send to the site (while it's travelling somewhere on the internet), but it does nothing to protect the site from malicious users.
True, but when used in conjunction with the other methods already suggested it'll add extra security to the transport of the data. As you say though, using SSL would do nothing to stop people brute forcing passwords or other means of exploiting the server or code.
Author
Quote:Original post by markr
PHP is as secure as you make it.
If you follow all the guidelines (i.e. turn off anything dangerous, validate input, correctly escape output), it is perfectly secure.
Even the recent unserialize() bug didn't affect most properly written applications.
Turn off register_globals, magic_quotes, allow_fopen_url (unless you need it) etc. Validate everything on the way in, escape it on the way out, and ensure your permissions checks are done at the right time. Proper code reuse makes these things easy!
Mark
Thanks for that! Do you know off th top of your head before I start googling any sites that tell all the other main things you should disable?
Quote:Original post by evolutionalQuote:Original post by Anonymous Poster
SSL wouldn't help in any way either. SSL is useful for making sure that nobody else can peek at the data the users send to the site (while it's travelling somewhere on the internet), but it does nothing to protect the site from malicious users.
True, but when used in conjunction with the other methods already suggested it'll add extra security to the transport of the data. As you say though, using SSL would do nothing to stop people brute forcing passwords or other means of exploiting the server or code.
If possible, I will need the use the SSL - but only two people will actually know of the specific login page - myself as well as the client who this is for, and I am not going to make it some "login.php" name either, so I am not too worried about someone trying to brute force their way in. I'm not saying that I want others to get acces, but I can add additional features.
Thanks for all your replies! They aer much appreciated!
- Drew
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
