Chapter 15. Security
Once your code is working, you may be tempted to think that you’re done with it. In reality, you may have some security issues that don’t affect normal usage but provide an opening for an attack. The unfortunate reality of web-accessible applications is that they’re only as secure as their weakest link. Therefore, you must be conscious of security on every level, from the database to the web server and the PHP processing itself.
Although you can’t make every system truly unbreakable, you can perform the equivalent of dead-bolting doors and locking windows. If you make your system difficult enough to compromise, it’s generally not worth a hacker’s effort, though keep in mind that some may still try. We’ve had our own server locked up from hackers trying to get in, and boatloads of spam that cause the server to belch and stop working temporarily.
We’re going to reiterate some of the security concepts that we discussed while learning the basics of PHP and MySQL security. This reduces the risk that the web sites you build will be insecure. We’ll also expand on those topics to give you some more options for making hackers’ lives difficult and your life easier.
Limit Access to Administrative Pages
When installing software packages that include a control panel or setup script, you should always either change the script’s directory or, in the case of setup scripts, remove them after you’re done installing. These scripts can provide a way for a random web surfer to mess ...