Best way to secure data PHP + MYSQL [closed]
https://stackoverflow.com/questions/713165
-
23-08-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm building an app that will store some of our clients details, things like usernames / passwords, information that we need to remember and keep secure.
What's the best method for storing this information securely?
Solution
Such an open-ended question with not a lot of detail to go on. I'd suggest reading Chris Shiflett's excellent "Essential PHP Security" before you go any further. It's short, to the point and very practical.
There's also a reasonable amount of the advice available from the book's website too at http://phpsecurity.org/
OTHER TIPS
Devlounge have a very good article on security.
Using a PHP framework for security
If you want to get PHP security setup quickly without doing a load of research, a PHP framework would be a good idea.
I am a fan of CodeIgniter but other options include CakePHP and Zend.
Using a framework for security will mean you get a tried and tested method straight away, however there may be some time and effort needed to learn the framework.
Pretty simple actually. Set up a quick MySQL database, and a user table. In that user table, store the usernames in a column and a hashed version of the password in another column.
As added security, I like to generate a random 8 character string and store that as well in each row - I call that column the "Keycode". When the user signs in with a correct username / password, I store their authentication in session variables AS WELL as the matching "Keycode".
That way, the session authentication can not only look for the right username / password, but quickly query the db, and check to see if the "Keycode" stored in the session variable is the same as the keycode in the row.
It works well because not even the user knows their keycode.
As far as passwords go you should store a hash of the password. Whenever you authenticate the user, you hash their inputted password and compare the result with what you've stored. This way you aren't storing the actual password.
