Learning PHP
Recently I have been learning the basics of PHP with regards to web applications. So far I have touched on MySQL queries, login/password storage and forms authentication, sessions and authenticated user session security.
I am working on a personal project called bookkeeper which is a database for the books that I have read and what I thought of them. It started a ways back as an excel spreadsheet then evolved into an access database and then into a web application in php/mysql. My intention is to eventually make it so others can also use bookkeeper, but that isn’t going to be for a while.
Password storage was the first thing to tackle and turned out to be pretty simple. Storing passwords that have passed through the SHA-1 algorithm is the standard practice but has certain security issues. An improvement suggested it to create a unique random string per user to add to the password before hashing it. This reduces the ability to perform dictionary attacks on the hashed passwords. The random unique string is called a salt value and is stored alongside the final hashed password in the database for later comparison, I use an MD5 hash of a number from rand() cut down to twenty characters.
The next issue was session handling and security for the rest of the pages protected by the login page. The standard seems to be to use session_start() which by default generates a cookie containing a session id which you can check at the start of each script page and redirect to the login. So if you are like me you immediately think, ‘what about malicious users?’. Session hijacking is the default scenario seems very easy to me so some precautions are a good idea.
- Make sure to call session_regenerate_id() after every user login so that the old session id is discarded. This will prevent a user from changing the session id cookie to look at another user’s information after logging in normally.
- Don’t trust that the session id stored in the cookie is valid. After the user login store the new session id in the database to be checked at the top of every page before the rest of the session information is trusted. This will prevent a user from changing their session id to become another user while logged in.
That is all I have so far. I would really love to hear how others do this stuff and if there are some issues I haven’t mentioned here that are important to remember. Please send in all your paranoid security methods.
As a side note I am very curious about what web platform and server languages Google uses to write all its applications such as search, gmail, google maps, etc. Currently I assume it is CGI with the back end written in with a C like language or something home-brewed.
PHP is awesome! I’ve just started learning some, myself, as I’m working on making the website I manage (www.amabile.com) fully dynamic, in that all the concerts, events, CD listings, and stuff like that is stored in a database and called via PHP. It’s a lot of work, but once it’s all set up and working, it’ll make updating the page a BREEZE.
By the way, have I mentioned how much I like your new CSS? It’s brilliant.