Chapter 14. Security
Once your code is working, you may be tempted to think that you’re done with it. In reality, you may have some security issues that don’t affect normal usage but still provide an opening for an attack. The unfortunate reality of web-accessible applications is that they’re only as secure as their weakest link. Therefore, you must be conscious of security on every level, from the database to the web server and the PHP processing itself.
Although you can’t make every system truly unbreakable, you can perform the equivalent of dead-bolting doors and locking windows. If you make your system difficult enough to compromise, then it’s generally not worth a hacker’s effort, though keep in mind that some may still try. We’ve had our own server locked up from hackers trying to get in, or boatloads of spam that cause the server to belch and stop working temporarily.
We’re going to reiterate some of the security concepts that we discussed while learning the basics of PHP and MySQL. That reduces the risk that you’ll build a site without reading about security and so will end up with an easily compromised site. We’ll also expand on those topics to give you some more options for making hackers’ lives difficult and your life easier.
Limit Access to Administrative Pages
When installing software packages that include a control panel or setup script, you should always either change the script’s directory or, in the case of setup scripts, remove them after you’re done installing. These ...
Get Learning PHP and MySQL now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.