Forum Moderators: coopster
Instigated by Full Member caspita's reaction to my query regarding a simple asp forum (see the first 2 (from the bottom) 'recent messages' in my user profile on the left), I have recently started to learn php which is possibly the best move for my IT skills so far.
After studying various outstanding online tutorials, I have successfully installed and re-configured easyphp, next created and implemented a registration, activate registration, login and forum from scratch using functions like mysql_escape_string(), session_start(), mail() etc., while storing the user defined functions in 2 wrapperclasses.
Extensive research regarding security in a (easy)php environment however, has led me to my query: "Should I consider the possibility that, since variables like $password are probably often used for obvious purposes, they present a security risk and should I therefore consider using alternative, less obvious variable names"
I will respond to your well meant input by responding to another one's query on a webmasterworld forum. Nevertheless, you will have put me in your debt forever.
Regards.
This will vastly reduce any risk of people overwriting the variables with their own.
A well written code is not in danger of attack in the way you suggest. In order to attack a well written code, an attacker with such skill is easily able to read your source code, and any strange variable names along with it.
I can but agree with you. I am just trying to make sure that I have not overlooked any loopholes.
Would you agree that, if 1) register_globals is turned of and 2) all variables are initialised before being used, this will sufficiently protect the source, or would you say 3) that is not what you mean by 'a well written code' and 4) still advice the use of mysql_escape_string(), crypt()and the like?
Regards
Ask yourself:
Does anyone else have access to my FTP account and can read or change my source?
Who has root / root ssh access to the server and can read or change my source?
Are my passwords secure and regularly changed?
Is my MySQL server authenticating properly - can the authentication packets be sniffed - is it on the same server or a different server?
Am I caching my passwords in my web browser (is this a security risk for me)?
etc...
I conclude that I've still got a lot of catching up to do and I will amend my code accordingly as I go along.
May wisdom and compassion continue to light your path, always.
