Forum Moderators: coopster
Well I have just a couple more issues to deal with on the site I am building. I'm looking back on the project I have been working on for the past couple of months and I am suprised I did it. I know I couldn't have done it without all the help I received from this forum.....once again THANKS! :)
The last two (well not last, but last until it goes live - then more updates will be needed) are security issues. I have an admin section that I need to password protect. I can make a login section based on tutorials I have seen and by just fooling around, but security is the main issue I am worried about with it. All the tutorials I read said this isn't the most secure way of doing it. I was curious what many people here found to be a secure way of creating a login section. If so, how did you do it? Did you use a tutorial? How about remembering a person, how did you incorporate that feature?
That is the first issue....
The second is error reporting. Currently I have it reporting all errors, but that feature will now have to be turned off. How do I set it to report in error logs that I can check? Does this depend on the hosting company?
Also, I actually just remembered one more thing I have to do. I need to have verification of variables. Currently in my address bar I have itemdetails.php?product_id=89. How do I set it so it checks the product_id variable and makes sures it's a integer and not a variable containing ";Drop Database ******;"
I was planning on having two users, 1 with full permissions and the other with just read permissions, but for some reason my hosting company can't set that up.
I guess that is 3 issues, not just 2.
Any and all help is really appreciated. :)
Thanks again for your help.
Wes
1) To create your own login system. I have my own and it is session based. I am sure this kind of systems are secure.
2) You can use just a simple .htaccess file (if you are using Linux based hosting) to protect the admin directory. Well, the admin levels are not option here.
Regarding the error handling, if you are unable to edit the httpd.conf (Apache configuration file), you are not able to handle the errors in the way you want. Contact your hosting company. Or change it :)
The last issue is not a problem:
<?$data = "333";
//To ensure data is alpha numeric only
if(ereg('^[[:digit:]]+$', $data))
{
echo "yes";
}
else
{
echo "no";
}?>
<?php
if (is_numeric($input))
{
//good
}
else
{
//bad
}
?>
[webmasterworld.com...]
I'm going to start working on this tomorrow. So this will give me a great start :)
Thanks again
Wes
1) To create your own login system. I have my own and it is session based. I am sure this kind of systems are secure.
There is no such thing as being *sure* something is secure.
The question is, how valuable is the data? Do you just sort of want to keep people out or want them to register? Then yes, sessions over a non-secure connection are probably fine.
Credit card numbers? Personal information that could result in harm or injury if released? Then you need to really lock things down and most definitely wouldn't want to do it yourself.
Tom
The question is, how valuable is the data? Do you just sort of want to keep people out or want them to register? Then yes, sessions over a non-secure connection are probably fine.
That is right - I am using this method for password protected areas. The members should register prior to use the protected functioinality. It works for all kind of "mass" websites such as classifieds, etc.
Credit card numbers? Personal information that could result in harm or injury if released? Then you need to really lock things down and most definitely wouldn't want to do it yourself.
Well, if you need an area where the customer needs to enter some sensitive information such as credit card info, there is may be only one way to do it - the same as above but using SSL protocol/certificate.
Instead of is_numeric, you could always use (int) to cast the value to an integer
If I want to be sure something is an integer, I use is_numeric() to filter out strings like 15monkeys. Then assuming it's a number, I use is_int($i+0), which will implicitly cast it as number and test to see if it's an integer. That filters out values like the ones that Timotheos mentioned.
If you cast 15monkeys as an integer, you will get the value 15, whereas usually I would just want to reject that data and flag an error.
Tom
