March 30, 2006 11:36 PM Subscribe
I’m working on a PHP/MySQL app and would like to ensure my security is up to scratch – need tips on authentication, globals and input sanitization.
posted by MetaMonkey to computers & internet (28 answers total) 3 users marked this as a favorite
My current method of authenticating users is a simple MySQL username/password lookup, then storing their state with a session and a required cookie (which stores only the session id). To prevent fixation I am using session_regenerate_id whenever necessary. Am I missing anything?
Register globals is on by default. I am not using globals, and I am trying to define all variables before use. Am I safe? Can global hacks affect my sessions?
My current method of input sanitization is:
1. strip < ,>, ‘\r’ and ‘\n’ to prevent scripting attacks
2. convert everything to entities
3. escape anything left with mySQL_real_escape
Is this sufficient to protect against any/all injection/xss attacks?
PHP Security is giving me a big headache, and I keep feeling like I’m missing something important. Any tips, corrections, best practices or links would be very much appreciated.>