I'm not a security expert at all, but... The short answer to your question is that if you have to ask how to make your code secure, then chances are, you probably shouldn't be attempting it at all... but then again, we all have to learn somewhere...
Do a google search, and read thousands of articles relating to security (even if it's not directly to do with what you want)... over time you'll build a library in your head of issues that need to be resolved. A key point in understanding security is to ask "what should i allow", rather than "what should i make sure they don't do". More comments inline: on 26/06/03 7:01 PM, Siddharth Hegde ([EMAIL PROTECTED]) wrote: > I want some advice and tips from experts on the following > The server will be Red Hat Linux 7.3 I hope it's a dedicated box, with Telnet, FTP etc blocked to all but your own IP address'? > 2) I store the db password and login info in a database.inc.php file. Is there > any way I can prevent a person from getting the db pass even after he gets > this file? Store an MD5 of the password, that way you're comparing the two hashes, not two passwords... even if someone stumbles into your database, they'll only see the MD5'd password. A further step would be encryption, on which you will have to do a LOT of reading. > 3) Does anyone know a book that focuses of writing secure code. There's plenty of articles... just search and search and search on google... keep digging, a read everything. > 5)How do I know the code that I am writing and my server is safe. Are there > any services out there that would help me evaluate this. Pay a programmer with a lot more experience to consult on your project. Start with open source products which may have an inherited strength and security as they draw on the experiences of many programmers, some of which with MANY years behind the wheel. > Although this is a high profile project, our budget is super small and A LOT > depends on this project taking off within a small budget, but at the same time > don't want to compromise on security. If your client's primary concern is cost, not security or customer satisfaction, then I'd be a little worried :) I'd start by not storing the cc numbers, or any other sensitive data on the web server at all... it will depend on your application, but if there are no numbers stored, then there's very little reason to attempt to hack in and get them, yes? Talk to your credit card merchant about the options you have, and take any advice they can provide... also, don't skimp on things like cc merchants... Make sure all logins and sensitive data is done over SSL too. Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
