Jump to content
davej

Basic Php Security?

Recommended Posts

I am just getting started with PHP and I would like to immediately learn some basic security facts, such as how database accesses should be properly handled so that I don't have to unlearn bad habits like I did in ASP.NET (with that idiotic SqlDataSource method). Can PHP source code inside the brackets <?php ?> ever become visible to the web (as in view page source)? Do MySQL accesses need to be wrapped in try-catch statements to prevent database errors from being visible? Thanks.

Share this post


Link to post
Share on other sites

inside php tag your code is not visible unless you do that explicitly. there some purpose where some data can be shown in web. like showing errors in production server. it always good to not to show errors. avoiding mysql_error() in production server and avoiding all debug method you used in development should be avoided in production which can output not your code but some information of your script which is not good for security. try catch will catch only exceptions not the fatal error/notice/warnings. you may like to check the manual http://php.net/mysql if any function is making a execption the manual will told you about it.

Edited by birbal

Share this post


Link to post
Share on other sites

PHP has several options for handling errors, like sending them to a log file instead of displaying them on the page. MySQL errors are never automatically reported, you need to manually check for them if you want to report them. If you're starting out, focus on using the mysqli extension instead of the mysql extension, and look into parameterized queries. Your PHP code won't be visible in the source of the page, but there may be an exploit on the server or in the code that lets people read files. Don't assume that none of your code is accessible to anyone just because you're using PHP.

Share this post


Link to post
Share on other sites

cool you new like me,a tip for you don't name your database table "members" i did this in the beginning after watching youtube vids also try not to pass sensitive info in a url veritable and use this method when passing info to your database$name = mysql_real_escape_string($name); ;)

Share this post


Link to post
Share on other sites

@westmanIf your later suggestions are followed, it doesn't matter how your database table is called.If you don't escape your data... sure... having a meaningful name like "members" makes the job of a hacker easier, but any other name you've used could also easily be detected if there's no escaping.@davejIf using parameterized queries, you don't have to worry about mysql_real_escape_string().

Share this post


Link to post
Share on other sites

you may like to check thishttp://www.php.net/manual/en/security.php

Share this post


Link to post
Share on other sites
@davejIf using parameterized queries, you don't have to worry about mysql_real_escape_string().
Well, I'm working with text fields in the database. I started with mysql_real_escape_string() but I'm not real happy with it. I will look at parameterized entries. Thanks.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...