On 8 August 2011 15:08, Jen Rasmussen <j...@cetaceasound.com> wrote:
> Hello all,
> I am currently researching security best practices/methods. Can anyone offer
> any current resources/recommendations?
> My research thus far has included password hashing with salting/stretching,
> session hash defaults, session management & authentication, and prepared
> statements via PDO in addition to basic PHP.ini and .htaccess server
> settings  and properly escaping and validating input/output.

Best practise can change as new threats and forms of attack become prominent.

So. At the top of this list, I'd add "This is list is subject to change".

Anything you to today may well be circumvented tomorrow.

But the principle of Poka-Yoke does suggest that by only allowing
valid and appropriate data in to your code, you are drastically
reducing the attack vectors.

I work in a multi-database and multi-DB Server environment.

Nearly/almost always, I use stored procedures rather than building
complex queries in PHP.

I only allow me and users in the development team direct access to the tables.

So, for the application to alter the DB, a stored procedure is written
(my apps are accounting related so maybe some flexibility has been
sacrificed - but the security is very strong).

I use Views either to simple result sets or to XML results depending
upon the requirement - again - no access to the underlying tables.

The user credentials used for connecting to the DB is different to
other user details and it is forced to a specific machine.

All this sort of thing is setup once and done. It makes it very
difficult for anyone to be able to fake the credentials, gain access
to the DB tables or inject data outside of the constraints provided by
the stored procedures.

Richard Quadling
Twitter : EE : Zend : PHPDoc
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to