Security of PHP

J__Benison

Hello peeps,

I am beggining a project that will manage user accounts and personnal information about our users. And I came to wonder on the security risks involved using PHP and MySQL.

Can someone enlight me about what those issues could be? What should I be worried about?
How should I avoid compromissing my clients' information?

What is more safe as a coding language: PHP or ASP?

Thanks for any help,

JB.

bastien

PHP, as based on the fact that this is a PHP forum. But realistically, both are capable of being 'securely coded'. The real issue is the safety of the server and its exploits (IIS seems to have far more exploits than apache)

If the info is really senstive, use SSL encryption to secure the connection.

MD5 the passwords, set up the mysql accounts to the bare minimum needed (ie select, update, insert). If you can set the accounts to limit access to certain ip ranges

suepahfly

Use SSL on Apache (in the ISS module security holes where found i beleive)
Use a challence resonse login scheme
Use cookies to a minimum

A good article on security can be found here but it's in Dutch

The main items it covers:
Cross site scripting
SQL injection
UBB hacking
Arbitrary Command Execution
Remote PHP execution
Mime Content Type Hack
Session Hijacking
Cookie security

I guess the googling on any of the avbove terms get you plenty of info

ropic

In talks.php.net you can read a good presentations about security