Jump to content
The Web Section is Now Read-Only
  • 0

Security Tips

Ehcloprom

Asked by Ehcloprom,

 Share

Question

Ehcloprom Poring

Ehcloprom

Posted
Posted (edited)

Well guys I'm currently coding a Control Panel written in PHP obviously. (Mainly for learning purposes)

Anybody got asome tips on security have searched online but alot of stuff is Outdated so i just want to make sure!

  • Registering
  • Logging In
  • Other SQL related tasks

Edited by Obliterate

2 answers to this question

Recommended Posts

KeyWorld Poring

KeyWorld

Posted
Posted

  • registration
    • Check the sex, some panels allow to use the Server 'S' sex.
    • Check if the username is not already in used (be aware this check can be used to find other username)
    • Check the mail
    • Be aware that the player don't create 6500 account in your server (captcha ?)

    [*]Logging in

    • Block if too may attempt to connect (bad user/bad pass), using a captcha or other check.
    • Don't write a specify message for each error: "bad password" or "bad user", to avoid to find a specify username.

    [*]Other SQL related tasks

    • Use PDO to block a big part of SQL injection
    • Don't use privileges that you don't need, (don't use a write access when you just need to read data in your sql data).

    [*]Others

    • Be aware with cookie, get, post, referer, ... data since it can be change clientside.
    • Be aware, when a player request an action in your panel you need to check he asks it before (example, delete character, etc.) it can be used in all current panel to abuse other session to do what you want.
    • Hide PHP errors.

etc. etc.

There are a lot of exploits possibles and doing a panel is good for learning purpose since you have to check each entry.

JayPee Poring

JayPee

Posted
Posted

Registering:

  • Check username length and the allow only numbers and letters to be used - better to use both server side(more important) and client side validation.
  • Have a captcha and a special QA as verification if the users is a real human.
  • Email Validation or Verification.

Login:

  • Log its IP Address
  • As keyworld said better not to give specific error.

Other SQL Related Tasks:

  • Use mysql_real_escape_string($value) for every values that came from url and users.

 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...