Security on PHP websites

The talk was about implementing security on websites the talk was on LinuxCabal by Richard.The first part of the talk was about the security that websites require sensitive data to the users. Things like passwords, credit card numbers etc.The first point is the overview of the protocols, while HTTP is the most common protocol to browse the web on port 80. So instead we have the HTTPS protocol which is HTTP over Secure Socket Layer which is a more secure level since it provides encryption using the default port 443.The security is important because even if you are home alone, if you use internet through cable, you are sharing the service with other people on the block.One of the tools we will use with php is forwarding the address from 80 to 443. Another method is when you have a form it will send it through ssl. PHP can also have security when you send data through sessions and how to apply it on permissions. Finally the other method is using cookies. It went through how to talk to servers on a secure way and how to save password on a secure way.Richard showed a repository that he used on earlier course that he did on a training center.One of the examples he showed was a registration page with security enhanced where the it forward us to the HTTPS page and then another security layer which will analyze the input of the password to assure the user is having a secure password.The first step was looking at the code, the code it has a function to generate a couple of tables on a MySQL database. The database will have these two tables related to each others which means that this tables will include different data but will just need to be used once.The next step of the code was about having a forwarder that will redirect the user from a general HTTP protocol to the more secure HTTPS protocol based on the origin of the user. For this we will use the if () function and will take the server variable to redirect users to another server or have them on the same servers. So if you access the page from a foreign location it will send the user to the remote host and the localhost will keep the user on the same server.Next function was about having the latency of the user sessions. These sessions will have a life span and if the user doesn’t do anything on the page, the server will kick the user to authenticate itself again. Here richard calls a different file which includes some server settings such as how long will the lifespan be.  He also added some lines in case is not using a server value but a cookie value instead and used setcookie() to something less than 42000 miliseconds.The next function was about the password validity and is basically a filter that the users will grep the password and have a length of the password and put it into an array. This array will then be subject to a series of filters looking for lower or upper case and then if it has a special character.One of the recommendations from Richard was using the mysqli as opposed to mysql commands. Also that instead of having mysql_connect() but use mysqli_init() and mysqli_real_connect() which provides a better persistent.Other things from the talk was the use and manipulation of the session’s setting the session variables and then finally displaying the content of the web.The code error management was encapsulated into a section of the code so they will be more readable and manageable. We used session variables for the name, password and then display the html and then display the block.

Advertisements