Hi,
> 2) I store the db password and login info in a database.inc.php
> file. Is there any way I can prevent a person from getting the db
> pass even after he gets this file?
Store that file outside the docroot. That way there is no chance they can
get it from the web site. I myself use an ini file that is no where near
the docroot, and use parse_ini_file() to load the DB information in, and
then I connect to it. This method passed our security audit with flying
colors.
A sample of what my ini file resembles is:
[mysql_info]
host = 192.168.1.1
uid = username
pwd = password
dbn = database
They end up in a $INI array, and the fields are $INI['host'], $INI['uid'],
etc.. You can read more about that function @ www.php.net.
> 3) Does anyone know a book that focuses of writing secure code.
I haven't found one, but if you do, pelase share it with the rest of us. I
wouldn't mind having one.
Also, make sure you're battling cross-site scripting. I had a problem
where the EU could toss javascript into the comments field, or any field,
and it would give 'em their cookie and they could go play. They could also
cause other bad things to happen.
Validate all your form variables.
I found avoiding method=get in my forms helped.
TURN OFF register_globals IN THE PHP.INI FILE! This is a big one.
Make sure you're handling all your exceptions, errors, and exit() the
script after your header redirects and things like that.
That should get you started...
-Dan Joseph
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
