Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>The other submitted answers offer good advice, but to break it down into a system of rules:</p> <ol> <li><h2>Be paranoid</h2> <ol> <li>Assume that your users are actively hostile.</li> <li>Assume that your code isn't secure.</li> <li><h3>Verify (client-side <strong>and</strong> server-side) everything:</h3> <ol> <li>...that your users submit.</li> <li>...that you store in your database.</li> <li>...that you read from the database.</li> </ol> </li> <li>Don't allow your users to see any error messages that you didn't create. If `verify_username() expects exactly two parameters` don't let your users <em>ever</em> see that error message. They shouldn't know the names of your functions, nor what they expect to work with, output or fail on.</li> </ol> </li> <li><h2>Be smart</h2> <ol> <li>Your code, and mine, sucks; keep on top of new work.</li> <li>Read around the subject, even the ones you find dull, and <strong>definitely</strong> the ones you have trouble understanding.</li> <li>Assume your users are smarter than you (those that <em>are</em> actively hostile are probably more experienced than you at breaking your locks).</li> <li>Have error checks for everything you can think of, and then ask a child of around four to press everything and fill in any forms/fields you might have. If something goes crazy (an alphanumeric instead of an integer, or anything else) add error conditions to stop it exposing your script's internals to the world.</li> <li>Move everything you possibly can <em>outside</em> of the web root to prevent any chance of a user accessing your scripts from another site or their machine.</li> </ol> </li> </ol> <p>That might be a little bleak, or cynical, but even with those rules I don't think we'll be 'safe.' Security's one of the oldest forms of a war of escalation; some we win and some we lose, but we'll only ever hear about the losses. And we're unlikely to ever hear about all of those.</p> <p>Just do your best to keep those in mind, and then, if you think of any more-paranoid means to effect your site's security, don't hesitate to become <em>more</em> practically-paranoid. And tfeed back to the community; we <em>all</em> need help with this.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload