[size=14pt][b][font=comic sans ms]Learning PHP is great, but I get frustrated occasionally :-\ and I get a little tired of digging around extensively over what seem to always be simple answers.

[color=green]Stackoverflow is okay, but if you are not familiar with coding, it can be difficult to use. The moderators seem to expect you to have an explanation of anything you ask about, but sometimes, you barely know what to say about the coding, just that you have problem X, and you are wanting some insight on possible solutions. However, I guess that is not allowed at Stackoverflow 8) Plus, there is a large outstanding number of questions there, and most of them seem to be very specific to the particular cases.
[/color]
I am hoping I can get some regular help by using this forum-type discussion, rather than quick question format. Finding some supporters of my project could be neat-o, too! Thanks PhpHelp ;D

[/font][/b][/size]

Okay, so I am making a registration page, but I would like to ensure it is as safe as possible, so…

What types of PHP, MySQL security can you think of?

… and is there a difference in safety between object-oriented versus procedural?

Sorry about the double post, too… I should have edited o_O but I am editing now, so I am learning!

Anyway >_> I mostly want to just make it generally safe to use with the public. I already have prepared statements with buffering to prevent SQL injection; I use an input cleaning function with trim, stripslashes, htmlspecialchars to protect against XSS; I am working on password hashing with salt; and I have SSL activated. Should I hash emails too, or is that even possible?

I guess there will always be people who can hack into anything, but in general, what else do I need to protect my users’ information?

Ah, you can look forward to getting more experience and beeing frustrated all the time

Google/Stackoverflow is in every programmers best arsenal of tools for a reason

They are very strict on showing you’ve done some effort yourself. Just understand they receive a lot of questions each day which are simply not good enough / read more like a job description than someone trying to solve a problem.

As in other communities you will probably get a bit of both. But as long as you do your best to ask a good question and include code and error logs where you can you should be fine.

You never know

Too much to mention in a simple forum post.

No

Great, was afraid I had to bring out the old Posting and You video

Excellent attitude

If buffering = parameterized queries (named or unnamed placeholders in the query string) then great!

It’s not possible to XSS on input. I always recommend to sanitize on output, as you can then easily then confirm that all outputted variables in your views (templates) are sanitized.

This sounds scary, what are you doing here?

Great! Is it a proper certificate? If not: Let’s Encrypt is free

No, but you should make sure the fields you accept as from/to/etc are valid.

Sufficient security, remember you are storing a hash of the password to protect your users password for when an attacker gains access to your database. Technically doing so we’re saying we don’t trust the server will not be hacked. So can you really trust the code that runs on it…?
Can you trust the javascript code you include from third party sources (bootstrap/jquery/etc cdn, direct linked, analythics, ads, etc)?
Can you trust the connection between the user and your server?
Can you trust the users browser?
Can you trust the users computer?
Can you trust the user?

:\

I’ll just add my .02 cents on a couple of things. I would never come up with my own online purchasing / banking transaction code, I would leave that to people who know what they are doing and just use a trusted 3rd party billing system (Paypal comes to the top of my head). Secondly, let your users (visitors) know that while you do your darndest to keep their information secure that you are not responsible for data loss and maybe even have an EULA (End-Users-License-Agreement) that you see Facebook and other social media sites use.

Definitely. If you’re handling money and/or storing payment/card info then reconsider 1000 times and once over. Paypal/Stripe/etc provide simple libraries you can use. Using a JS library even means the users/customers payment details never touch your server (they’re submitted directly to the payment processor, using the payment processors own code).

Wow, I am glad to see someone being enthusiastic about all I have to say, haha!

Thank you

I am definitely good at asking vague/broad questions at this point, since I barely know what I am doing, but I am getting the hang of things, and I am beginning to regularly understand proper syntax, at least.

I am glad to know I can use procedural style because object-orientation seems to be a hassle, but I think once I get it working procedurally, I will try to replace with a PDO object-orientation.

[b]I use ? then specify the bind_param with a specific variable, so I think I have the parameterized query thing working.

The input/output cleaning confuses me now o_O The user would enter the information, and upon hitting submit, when it sends to the php, it cleans as it defines the variables, so would that be output or would that be input?

Password hashing is definitely scary o_O and actually, I do not ask the user to define a password upon registration because registration requires a recruiter, but I might change that, so I will handle passwords later. At this time, I am the only user, and my password is nothing I use on nay other site, so I think I am okay. However, I think later has arrived because the next step in the process would be having the user set a password ;D lol. I am ridiculous -_- but anyway, this is having a password encrypted to a code, adding a randomized string to either end, and using some sort of key to top it all of, but I am definitely set back by this nonsense. I have identified the cost I plan to use though, so I have one thing. HMAC, and AES are definitely confusing me. I think I understand password_hash().

I am not sure what the exact provider of my SSL certification is, but it is being provided by my host, so I hope it’s okay, as they do not specifically identify the provided, just that it is third party, and it is being provided free.[/b]

Thankfully, I am not processing important information, and I believe I would definitely use an official method, if I decided to implement that, so thank you.

Actually, I do not even ask the user to identify their name. I ask for a birthday to specify age, an email for recovery/contact, country to track user demographics, and gender as a social identifier, but they are not in relation to a name, or address.

Does that seem appropriate?

… ALSO, the next step would probably be an email verification, and upon verifying the email, they would be prompted to set a password, which is where hashing would go into play.

No problem

Either can be a hassle, both offer different ways to structure your applications. There are people praising both, though most people today are in the OOP camp.

Sounds good!

That is input. When you do

<?= $someVariable ?>

it’s output (shows to the user) and should be sanitized to avoid XSS

Don’t worry about it, use password_hash / password_verify and you’re good. You don’t even have to change the cost as the algorithm/cost may change over time if you have it set to PASSWORD_DEFAULT.

You can check by clicking the TLS (yay, HTTPS got a new name!) lock in your browser and viewing certificate details. It sounds fine though.

I did actually just really activate my SSL… It was activated to use, but I had to create a .htaccess file, and put a little code in there, but everything is showing with the https:// prefix now, so I assume it works.

WT3Schools told me to sanitize input o_O so I just did it.

I think I have the ability to use a key if I wanted to though, but I am not sure how to go about creating a key, and how to access a key if I stored it in a separate server? Since I know about it already, I figure I might as well try to implement it before I get carried away, and my site gets big with a bajillion users xD and I forget to upgrade my security.