dongyuduan1890 2016-07-28 07:55
浏览 31
已采纳

学习基本网络安全的最佳方式[关闭]

I'm 16 and do a lot of web design for people. I do mostly front end design apart from the occasional bit of PHP when handling forms. While I do know how to manage basic sterilisation and validation, i would like to learn more intricate things like user management and login systems. I know my way around js, MySQL and PHP, etc... but I don't feel confident securing such systems. I know there is not one solve all guide to web security, but I was wondering if anyone knows any helpful guides, resources, etc.... Also, even just somewhere to start.

What I mainly want to learn about:

  • setting up and acquiring SSL certificates
  • handling SSL certificates
  • building secure login systems
  • using cookies for security purposes
  • general PHP security
  • SQL security

My end goal is to be able to build sites with users who's basic info I can securely store (no payment details) in an SQL database. I want to be able to create a user sign up the login and editing system. i have created something like this before but not with SSL. My question is how do you learn to do this with SSL?

could someone... - direct me to a guide. - direct me to examples. - point me in the right direction.

(examples would be too big to post) like I said its quite a broad question so sorry (as someone who usually hates people who post questions like this). Very much open to advice any help would be appreciated :)

EDIT: My real question now is how do I learn how to use SSL and set it up after I've bought a certificate?

  • 写回答

1条回答 默认 最新

  • douzheng1853 2016-07-28 08:04
    关注

    I'll add points about which I know.

    SQL security - basic principle here, never trust user input, sanitize it all. There are numerous built-in functions to do so, for example htmlentities and real escape string: MySQLi, for PDO, prepared statement.

    using cookies for security purposes - Cookies are always a point of failure, as users can change cookies as they see fit. Best way, is to use a random string inside the cookie to identify the user later on. For example, you generate a 50 character random string, put it into a cookie, make it so it would expire over some time and store the ID into SQL, so the next time when the user connects, you can check that do you have that ID inside SQL and check who the user is. It's still unsafe, but not as unsafe as just leaving user_id's or even worse, passwords inside cookies. Using sessions is safer, but if you need to use cookies, that's the way I would do it.

    building secure login systems - SSL is one key here. Another is password encryption. For PHP, use password_hash to hash the password. Best way to keep passwords from not being stolen / cracked, is to also salt them. You can, for example, use AES to encrypt the password_hash itself by another random string with a key, which only you know, so you can decrypt it and verify the passwords. Also, one point here is to make sure, that you leave a failed login counter on the page, otherwise people might start flooding your site with many possible other passwords which might work. Also enforce safe passwords which are not easily figured out (test123, password, pa55w0rd etc).

    setting up and acquiring SSL certificates - To get a SSL certificate which the end user can accept too without getting a message that the CA is not recognized, you most likely need to buy a SSL certificate, Google will help with that one.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 微带串馈天线阵列每个阵元宽度计算
  • ¥15 关于无人驾驶的航向角
  • ¥15 keil的map文件中Image component sizes各项意思
  • ¥30 BC260Y用MQTT向阿里云发布主题消息一直错误
  • ¥20 求个正点原子stm32f407开发版的贪吃蛇游戏
  • ¥15 划分vlan后,链路不通了?
  • ¥20 求各位懂行的人,注册表能不能看到usb使用得具体信息,干了什么,传输了什么数据
  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 Centos / PETGEM
  • ¥15 划分vlan后不通了