-1

I have a small site (~20 pages) built in plain PHP and MySQL

The site has a number of forms and it will be accessible to the public, it will store personal data.

I intend to add a security certificate.

Would appreciate some guidance of what options I have to make the site secure. Just an overview of options that I can use to start a conversation with a developer or ask more questions here.

I know as a minimum, login and registration forms will need some code changes.

Should I be considering switching to a framework?

Is there another alternative?

Will all pages or all pages that accept user input need some code changes?

David Makogon
  • 67,251
  • 21
  • 140
  • 181
ColinK
  • 31
  • 6
  • **all** code that takes user input will need securing. That is all. If you can use a framework then changing to that for a ~20 page site would be good but if you don't know one then the time spent learning it you could be finished. So it depends on if you want to take the time out to learn something. Just make sure to use MySQLi/PDO for any database interaction especially the prepared statements. Any password handling use password_hash functions built into php. – Matt Jun 29 '16 at 21:30
  • 1
    https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project – SLaks Jun 29 '16 at 21:31
  • See this answer about preventing sql injection: http://stackoverflow.com/a/60496/3595565. Another topic to consider is cross-site-scripting - someone could inject javascript into your data which gets executed when you display it on your site, use the function http://php.net/manual/en/function.htmlspecialchars.php to escape those injections. – Philipp Jun 29 '16 at 21:44

1 Answers1

1

To start with add

  • Prevention for SQL injection (see comment from @Philipp)
  • Prevention for XSS (also see comment from @Philipp)
  • CSRF token
  • TLS certificate, check https://letsencrypt.org/
  • Use password_hash() and password_verify to hash and verify users passwords

When this is done you have a good start and could continue with the OWASP top 10 list @SLaks did link to and see what is relevant for you.

This might look like a lot of work but actually don't take much time when you get used to it.

PS. Even if this question is broad and have no clear answer, I think asking it is a good start and wish you luck and good speed in securing your software

rypskar
  • 1,880
  • 12
  • 13
  • Thanks to Rypskar, Philip and Matt for giving useful answers to my "broad" question. To the others, it is easy to ask narrow questions, when you are an expert. Unless the forum explicitly bans non expert users, then you need to expect broad questions. I did search in advance of posting. I did point out my lack of expertise. Several members managed to give constructive positive answers, which I assume will be useful to others who might feel intimidated to ask similar questions. Expect my future questions to be 'broad' despite my efforts to be narrow. – ColinK Jun 30 '16 at 23:15