问题
I'm asking this as I maintain a small website for a fairly isolated group of people (no more than 80). It currently has a simple log in function (e-mail, password) and the data that is "protected" is merely contact information to our members (telephone, address, e-mail). The website is written in PHP and use My SQL.
These last couple of days, I've been reading through the forums and other sites about web site security, since I would like to enhance it on our site. Right now the security consists of SQL-injection protection and MD5-hashed passwords stored in a database. This feels abit inadequate but I also feel that it's easy to take it TOO far. I mean it's not exactly nuclear launch codes here, but data people usually feel abit unconfortable to display online. The site itself is hosted by a fairly renown web host.
The only threat I can see right now are pranksters stumbling across the site and trying some of their home made concotion?
So I thought somewhere in the middle would suffice. Like
- SQL-injection protection (enhance if needed)
- Stronger hash method with salt
- XSS-protection
- DDoS-protection
- SSL when accessing the member area
What do you more experienced people out ther think?
Update: I would like to add that I do everything myself and there is no budget for buying fancy crypto techniques or hiring professional programmers.
回答1:
To enhance security for SQL injection, you must see:
- Best Way to Prevent SQL Injection
It would tell you to use PDO, parameterized queries.
To learn about general security issues, see this post which covers a lot:
- PHP Security Guide (By PHP Security Consotium)
Audit your site in terms of security using:
- OWASP
And
- PHPSec
phpSec is a open-source PHP security library that takes care of the common security tasks a web developer faces.
回答2:
Add CSRF vulnerability protection to your security list
回答3:
Also you can add Remote file inclusion.
来源:https://stackoverflow.com/questions/11077685/how-much-security-is-really-needed-on-a-private-website