Ok after been on this site for a while I find myself saying the same things over and over again, to pretty much the same questions. So I’ve decided to put together 3 simple tips for newbies when starting to create dynamic websites with PHP (and some JS).
1) ALWAYS validate form input, with PHP not just JS. Today alone I have replied to 3 posts saying this so basically, never trust the user – some WILL try to hack your site, either for fun or to be malicious. Learn some simple regular expressions to check that all the data they insert is the data you want. The reason why JS alone is not a satisfactory solution is simple because the user can switch it off, therefore meaning they can put anything they like in your form input.
2) ALWAYS validate session cookies. Dont get so many questions about this but it is a serious problem I believe needs to be addressed. Stealing cookies is easy, there are 10 year olds out there that can do it, but most newbies think of cookies as safe (since they set them). Well theyre not, treat them like form data and you wont go far wrong.
3) NEVER send password data in sessions. Ive seen many scripts (some which you can even BUY) that send password data in session cookies, then query it straight against the database. I don’t care what anyone says, sending passwords in a session is not right, even if its encrypted. There are many other safe ways around this problem, which is where google and a little common sence comes in.
Hope this helps some of you new programmers out there. Remember, when your writing a program for the web, security must be the most important part of it.
Thankyou for reading.
Ryan