I am at the point at my current website that I'm happy with it's functionality but still desire a better way to do things. To get an understanding, if I want to delete an uploaded photo I have to delete the MySQL entry manually and then delete the photos from their respective directories. It's slow but not something I need to do often, just something I did a lot in testing the scripts and stuff.
I did some research and it seems the new standard is crypt() and password_hash(). They create a salt automatically as well. That plus a login attempt limiter will help with brute force attempts. WikiHow has this article on creating a secure login with PHP & MySQL. They say I need to protect against the following:
My only point of SQL Injections would be the username and password right? As long as I strip and sanitize the input I'm safe?
Session Hijacking is mostly a cookie thing right? I'm not planning on setting cookies for logging in/staying logged in. My site is purely PHP & HTML.
Network Eavesdropping is something I am worried about. Mostly because I am on a shared host. Even if I move to a dedicated, it's a "VPN" on a shared dedicated; I may have my own IP but the resources on the server are shared and traffic within this server geolocation is not encrypted and other VPNs can supposedly read it. Not sure if it's the same idea on my current shared hosting. Eventually my goal is to eventually charge for the websites services (and as user count goes up) and I'll be able to move to a proper dedicated server. But, I have other hurdles to face long before that happens. I plan on 2-3 years before seeing an interest and maybe 3-4 years before moving to a real dedicated server.
I believe Cross Site Scripting is of little concern since my site doesn't utilize JavaScript, just PHP & MySQL. For now. Obviously, I want to code this in for future proofing but it's not huge on my priority list. However, is XSS something that can still affect me? I remember XSS being a huge issue with Facebook, but again that site uses much more than the languages I'm using here.
Again, brute force isn't something I'm overly concerned about because I feel like I have that fairly well covered. Is there anything I'm missing though? What's the proper way to store logins? I don't plan on keeping the salt hashes on the same table as the user credentials for security reasons. Is this the proper way to do this? For a site that'll have 2, maybe 5, users would be ideal to have a hard coded salt in the PHP? I realize it makes the passwords less secure though.
Again, this script is just for me. Eventually it'll be for, at most, 5 users and I don't expect any of this to be a huge problem. It doesn't mean I will not be prepared nor turn a blind eye towards. The script WikiHow provides is too much at once, it doesn't take the time to explain anything and I'm not a fan of copy-paste; I like to research functions and write my own code with my own verbose comments.
Any insight, anecdotes, tips, and resources are appreciated!
I did some research and it seems the new standard is crypt() and password_hash(). They create a salt automatically as well. That plus a login attempt limiter will help with brute force attempts. WikiHow has this article on creating a secure login with PHP & MySQL. They say I need to protect against the following:
- SQL Injections
- Session Hijacking
- Network Eavesdropping
- Cross Site Scripting
- Brute Force Attacks
My only point of SQL Injections would be the username and password right? As long as I strip and sanitize the input I'm safe?
Session Hijacking is mostly a cookie thing right? I'm not planning on setting cookies for logging in/staying logged in. My site is purely PHP & HTML.
Network Eavesdropping is something I am worried about. Mostly because I am on a shared host. Even if I move to a dedicated, it's a "VPN" on a shared dedicated; I may have my own IP but the resources on the server are shared and traffic within this server geolocation is not encrypted and other VPNs can supposedly read it. Not sure if it's the same idea on my current shared hosting. Eventually my goal is to eventually charge for the websites services (and as user count goes up) and I'll be able to move to a proper dedicated server. But, I have other hurdles to face long before that happens. I plan on 2-3 years before seeing an interest and maybe 3-4 years before moving to a real dedicated server.
I believe Cross Site Scripting is of little concern since my site doesn't utilize JavaScript, just PHP & MySQL. For now. Obviously, I want to code this in for future proofing but it's not huge on my priority list. However, is XSS something that can still affect me? I remember XSS being a huge issue with Facebook, but again that site uses much more than the languages I'm using here.
Again, brute force isn't something I'm overly concerned about because I feel like I have that fairly well covered. Is there anything I'm missing though? What's the proper way to store logins? I don't plan on keeping the salt hashes on the same table as the user credentials for security reasons. Is this the proper way to do this? For a site that'll have 2, maybe 5, users would be ideal to have a hard coded salt in the PHP? I realize it makes the passwords less secure though.
Again, this script is just for me. Eventually it'll be for, at most, 5 users and I don't expect any of this to be a huge problem. It doesn't mean I will not be prepared nor turn a blind eye towards. The script WikiHow provides is too much at once, it doesn't take the time to explain anything and I'm not a fan of copy-paste; I like to research functions and write my own code with my own verbose comments.
Any insight, anecdotes, tips, and resources are appreciated!