Web based designers who develop login applications should keep these basic security measures in mind. Know that nothing in this world is unbreakable. With enough brain juice and time from God, anything can be broken into. The only thing that any security system can do is to slow down the attacker long enough to capture them and fix the flaws. A good security system is one that is able to protect and recover from assaults. PHP together with MySQL are in the top 5 most popular web language today. Many web design companies use them cause they are free and have supportive user groups that are helpful. The following methods should be in place in any system as a minimum.

Username and Passwords

Passwords are stronger at 8 characters, so keep that as a minimum. These are 4 simple methods that anyone can follow to create easy to remember strong passwords.

Never be specific

Even student developers are smart enough to just put up a unsuccessful login sign like

• ‘Incorrect password / username’
• ‘Unsuccessful login attempt’

Never give out clues or leads that will help intruders like

• ‘Password is missing one letter’
• ‘Username is not found’

Hiding Errors Messages

Placing @ in front of many of PHP function calls will stop any failure message from showing in the browser window. The ampersand symbol becomes useful when database calls are made during database downtime. This will keep the website looking professional while reducing feedback to intruders.

Encrypt passwords in user account table

Even if the intruder is successful in gaining access to the table, they should only be able to see logins and not passwords. Encrypt all passwords in the table to hold an SHA-1 encrypted string before you compare the user input password to the one stored in the database.

• Example Code
  $encrypted = sha1($password);
• Example database data
  Username : rangit
  Password : d0be2dc421be4fcd0172e5afceea3970e2f3d940

Keep a log of all user activities

Log the total number of logins for each user, as well as the data/time of their last login.

Remove ALL backslashes

Prevent your code from breaking unexpectedly by using ready made PHP functions like strip_tags(), str_replace() and stripslashes().

• Example code
  $login = @strip_tags($login);
  $login = @stripslashes($login);

Use ‘maxlength’ in forms

Limit the user to the allocated input size.

Importance of referrer

Make login scripts to check HTTP_REFERER to see that the request came from the same server. This security measure will stop simple spam bots and amateur attackers.

Use $_POST not $_REQUEST

If your HTML form uses POST to send the data to the login script, then make sure your login script gets the input data using $_POST and not $_REQUEST to prevent someone to pass data via GET, on the end of the URL string.

SSL Encryption (https)

If you think the website deserves the best of data privacy, purchase an SSL certificate to encrypt the pages.

Limit user access according roles

This is one of the most important method to prevent SQL injetions. Classify groups and distribute features and functionality based on roles. For example

• Cashers can only enter in sales, and not delete it
• HR personals should only see employee information, and not the financial data

eioba
Intelligent articles database

PHP. What’s so important about it?

PHP is a server side programming language designed to produce amazing dynamic web pages which :

• allows you to create dynamic html pages and files.
• can be used to authenticate logins to a site
• allows web owners to redirect pages
• keep counters
• allows you to personalize pages. For example, if I login to a site using my username and password, the PHP codes will then tell the server to generate a personal note that says ‘Welcome, Chris!’. So if another person logs in, the server will generate another personal page that says ‘Welcome, (username)!’.
• If you set up your own server you can use also PHP to allow people to download files from a certain folder and then log the ip address of the person that downloaded it. As long as the page saves or changes a file on the server, PHP will most likely be used.

There are plenty of PHP training courses out there that helps people to learn even faster. Open Technology Group is one fine example that provides the highest quality training at an affordable prices that includes post meet ups after classes. Their courses are taught by Zend certified PHP MySQL training instructors with over decade’s experience.

At the moment, they conduct classes on a monthly basis. The classes are carried out for a period of 5 days. If you live in the US and some other parts of Canada, airfare to North Carolina, accommodation, shuttle services and course materials are all included with the fee you pay.

Interested people are encouraged to submit a simple form or call them to ask about enrollment questions. They will even wire in a technical instructor to take calls, if needed. I believe that they have special pricing for government or educational bodies.

* sponsored review *

PHP MySQL Training
PHP training solutions

Basically, SQL injections happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. Any webmaster creating web applications that involves database manipulation will have to take these measures to prevent SQL injections.

According to WhiteHat Security’s statistics, there is a 20% likelihood that 8 out of 10 websites have a vulnerability in the area of SQL Injections.

Keeping It Clean

For example, it is important to make sure that users insert only codes that have these characters in the email field :

• abcdefghijklmnopqrstuvwxyz
  ABCDEFGHIJKLMNOPQRSTUVWXYZ
  0123456789
  @.-_+

Quotes Quotes Quotes

Many database interface languages caters to the need of safe-quoting text. For example, MySQL uses 2 functions to ’string quote’ and to ’string parse’ :

• mysql_real_escape_string() adds backslashes in front of all the quotation marks.
• stripslashes() removes backslashes in front of the quotation marks.

Bounding Parameters

• Insecure

Statement s = connection.createStatement();
ResultSet rs = s.executeQuery(”SELECT email FROM member WHERE name = ” + formField); // *boom*

• Secure

PreparedStatement ps = connection.prepareStatement(”SELECT email FROM member WHERE name = ?”);
ps.setString(1, formField);
ResultSet rs = ps.executeQuery();

Above is an example of bound parameters in Java. Neither quotes, semicolons, backslashes nor SQL comment notations are able to corrupt the string because it’s been turned into data. Bounding parameters is one of the most important step anyone can take to truly secure the database from injection attacks.

Rights Management

Web applications should use connections to the database with as little rights as possible. Web applications should start with only 1 type of access which is query access to members table. This method eliminates the possibility of using the ‘UPDATE’ statement to taint the database. Let rights access be progressive, like allowing more flexibility only after a successful user validation.

Making Use Of Stored Procedures

As long as the interface on the stored procedure stays the same, the table structure can change with no consequence to the application that is using the database. This layer of abstraction is like an extra barrier because table permission is implicitly set. By only allowing database modifications through stored procedures, tables are safe from exposure to external applications.

Separating TRUSTED and UNTRUSTED networks

A DMZ is a computer network that is accessible from two other computer networks that have no direct contact with each other. Often, one of these networks is the Internet and the other is a local, internal network. Having a web server with very, very little access in a DMZ prevents total control of all networks, even if one manages to take full control of the machine.

SQL Injection Attacks
Useful tips on SQL injection attacks