Hi, I have been programming web pages for some time now but have only recently had to actually do a new member and login section. My biggest concern is security but while studying different aspects I keep seeing different people saying to use different php styles. Such as some say PDO is best, some say OOP is best. I have a working new member section but before I go live I would like to make the proper changes to which style is best for most security as far as injections, cross scripting and any other hack. I do indeed clean and test all data both from any outside input and from reading it from the db itself before I run it but I am no where near as smart nor updated as most hackers therefore I really want to make sure I use the best method in php to keep my site as secure as I can on my own. I do not take any money so do not deal with cc or that type of sensitive data, just usernames, emails and passwords. Oh and of course the passwords are hashed using the new php password_hash which I have read over and over that this new version is the best way to go. Any information on which way I should program this site would be appreciated and possibly the reason why you think so. Thanks
There are only two options to work with a database, mysqli and PDO. Whomever said OOP was the best was touting what they heard without understanding. OOP is different than procedural style, but has nothing to do with database interactions. Using either of the original, along with prepared statements. Salt the passwords. Store the Times and ip addresses of the people that logon for tracking purpose.
The rest of the security issues have less to do with the code itself than the server setting.
I think the biggest confusion you’re having is that you’re confusing Object-Oriented Programming and Procedural programming with mysqli and PDO when it comes to security. Let me try clarify this a little for you.
mysqli - Can use either OOP or procedural style programming and this is why a lot of beginners use mysqli for the reason that it can use procedural style programming. Programming in mysqli uses prepared statements as already stated.
PDO - Uses OOP style programming, but that doesn’t mean anyone has to learn OOP in order to use it. A lot of people gravitate towards PDO for it uses named prepared statements and that it can be used with more than one kind of database format (mysqli forces you to use MySQL). It has a little higher learning curve than mysqli, but once learn the benefits start paying off.
As for security, if you learn how to utilize password_hash (http://php.net/manual/en/function.password-hash.php) and password_verify (http://php.net/manual/en/function.password-verify.php) will help in the writing of your scripts to make them better secure when it comes to password protection.
Elizabeth,
I agree with all of these comments. I personally like procedural programming and therefore, I generally
use MySQLi for programming with databases. Most websites that I work with would be considered “simple”
in programming terms.
One area that I had to spend a lot of time on was security for a client. They had many different levels of
user access and even several different levels of passwords for security issues. Over many years of study on
these, the username and password is about the lowest worry in your site. Use the hashing tricks and you
should be safe. The larger issue would be allowing a hacker to enter data into your system. This means
that you should make sure that you scrub your data and validate all of it before allowing anything to enter
into your database.
Once, I set up a blog for a client using this site’s system and hackers from China and Russia got into it.
They basically just posted about 5,000 adverts for various items, but, it was annoying to ban their IP’s and
delete all of the ads.
Also, one client of mine used $_GET’s to grab data passed from page to page. Hackers typed in different
info directly into their passed data and got into areas of the database where they shouldn’t be. Nothing
was actually damaged, but, they were able to see data they should not have. One area you should work
on if you use GET’s. There are many sites in the world that have lists of programming don’t’s for security.
Here are a few sites with comments about security and PHP. A lot of them have general information about
what not to do. It might give you ideas on how to go about revamping your site’s security systems.
http://www.nairaland.com/1491651/list-donts-php-application
http://thenewstack.io/security-dos-and-donts-for-early-stage-companies/
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
(The last one is a 17 page “Secure Programming Practices Guied” in PDF format that you can download and
review.)
All of these talk about general things to do and not do and some go into details a little. Items like error
messages are very important. If your MySQLi code displays a message about your database, it will show
the name of the database and perhaps some of the formatting of your tables. Things like these should be
hidden to the public. Hiding them is easy, but, you still need them sent to you to fix the issues. Many of the
things like timing out your site pages is very simple to do. On one site I recently did for a friend, he needed
to have the pages time out after so many minutes. Basically to prevent someone sitting down at his 'puter
while he was in another room and using his log in to wreak havoc. That is a simple item to add. But, read
up and ask any question. One of us will be able to help… Good luck with your site!