3

I am trying to understand the steps I have to follow in order for data to be input and output securely on a website. This is what I understood so far:

**

Procedure

**

1)User inputs data

2)This data is validated using JavaScript. If data doesn’t match the structure you requested, send an error message.

3)The data is also validated using PHP in case the JavaScript is disabled or not supported by the browser. The PHP validation will almost be identical to the JavaScript one. If data doesn’t match the requested structure, send an error message.

4)Open a connection with the database (PDO method)

5)Check input data against your database using prepared statements (PDO method) and return an error message if required [for example if the data is an email address then we cannot have 2 users with the same email address/ Error message: This email address is already registered. If you are already registered please login or use another email address to register].

6)After all checking is done [client-side (JavaScript) and server-side (PHP)], use prepared statements to insert un-escaped data into the database.

7)When data is requested and must be displayed on the web browser, only then escape (output) data, to prevent XSS.

**

Security

**

A)The PHP script will use session_regenerate_id when there is a change in the level of privilege (from logged in to logged out and via versa) – mitigate session fixation

B)SSL will be used to minimize the exposure of data between the client and the server

C)The form will have a hidden field nesting an anti-CSRF token, that will be checked against the one stored in the session – mitigate CSRF

D)Passwords will be stored after hashing them with Bcrypt hashing algorithm (with a proper salt)

E)(2)+ (3) validation will use Regular Expressions. I understand that, a wrong Regular Expression can cause many errors. Are there any general accepted Regular Expressions for validating email address, passwords, etc?

**

Questions:

**

1)Do I understand the input/output procedure correctly? Am I doing something wrong?

2)I know that security-wise you can never be 100% protected. What else should I do? Is something I write above wrong?

Thanks in advance.

Improve this question
9
  • This question is way too broad for StackOverflow, sorry to say. You put a lot of thought into it. Commented Apr 26, 2014 at 13:57
  • I know that this is a huge part of PHP/MySQL/JavaScript. But i need to know whether i am in the correct path or not. Or if i am missing out something fundamental. Commented Apr 26, 2014 at 14:02
  • Email validation: Don’t even start to try and write your own RegEx – this is way to complex, and many people have failed at this before you already. Use php.net/manual/en/filter.filters.validate.php Commented Apr 26, 2014 at 16:18
  • Yes but this is for PHP only. What about JavaScript validation? Commented Apr 26, 2014 at 16:20
  • Password validation: Don’t you effin’ dare to tell me what my password should look like ;-) Seriously, forcing users to use passwords that conform to what you might think is a correct form/number of “special” characters makes the world less secure – it forces me to deviate from my usual scheme, and thereby increases the likeliness that I will chose something “easy to remember”, or write it down somewhere, etc. You might advise me that you think my password might be not the most secure one – but please don’t force anything on me in that regard. Commented Apr 26, 2014 at 16:21

1 Answer 1

Reset to default
3
  1. Yes, you understand it all right in general.
  2. That's, as you noted yourself, is an endlessly open topic. There are thousands vectors. Some of them are include injection (never include or read a file taken blindly from user input), eval (avoid this operator as a hot iron), upload injection is alone a wide topic with multiple issues (in short, always verify input data format)

As of regexps - oh, yes. Just try google.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I have been reading for a long time to clear these things out, and i am sure that i have barely scratched the surface. But thanks for the answer.Being in the correct path, its a good start. Now its time to go deeper into the details.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.