Basic Php Security?

[davej]

I am just getting started with PHP and I would like to immediately learn some basic security facts, such as how database accesses should be properly handled so that I don't have to unlearn bad habits like I did in ASP.NET (with that idiotic SqlDataSource method). Can PHP source code inside the brackets <?php ?> ever become visible to the web (as in view page source)? Do MySQL accesses need to be wrapped in try-catch statements to prevent database errors from being visible? Thanks.

[birbal]

inside php tag your code is not visible unless you do that explicitly. there some purpose where some data can be shown in web. like showing errors in production server. it always good to not to show errors. avoiding mysql_error() in production server and avoiding all debug method you used in development should be avoided in production which can output not your code but some information of your script which is not good for security. try catch will catch only exceptions not the fatal error/notice/warnings. you may like to check the manual http://php.net/mysql if any function is making a execption the manual will told you about it.

[justsomeguy]

PHP has several options for handling errors, like sending them to a log file instead of displaying them on the page. MySQL errors are never automatically reported, you need to manually check for them if you want to report them. If you're starting out, focus on using the mysqli extension instead of the mysql extension, and look into parameterized queries. Your PHP code won't be visible in the source of the page, but there may be an exploit on the server or in the code that lets people read files. Don't assume that none of your code is accessible to anyone just because you're using PHP.

[westman]

cool you new like me,a tip for you don't name your database table "members" i did this in the beginning after watching youtube vids also try not to pass sensitive info in a url veritable and use this method when passing info to your database$name = mysql_real_escape_string($name);

[boen_robot]

@westmanIf your later suggestions are followed, it doesn't matter how your database table is called.If you don't escape your data... sure... having a meaningful name like "members" makes the job of a hacker easier, but any other name you've used could also easily be detected if there's no escaping.@davejIf using parameterized queries, you don't have to worry about mysql_real_escape_string().

[birbal]

you may like to check thishttp://www.php.net/manual/en/security.php

[davej]

@davejIf using parameterized queries, you don't have to worry about mysql_real_escape_string().

Well, I'm working with text fields in the database. I started with mysql_real_escape_string() but I'm not real happy with it. I will look at parameterized entries. Thanks.