Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member

Creating Secure PHP Websites

From: Creating Secure PHP Websites

Video: General security principles

Let's quickly review the primary security principles.

General security principles

Let's quickly review the primary security principles. These principles are covered in more depth in the Fundamentals of Programming, Web Security course that I mentioned earlier. The first principle is least privilege. The principle of least privilege means giving a user account only those privileges which are essential to that user's work, nothing more. Users in human resources shouldn't be able to see accounting information, and users in accounting shouldn't be able to see human resources information. But we're not just talking about user privileges. Code has access privileges too.

Code should be limited in what it exposes and what it accesses. In object-oriented programming, this means controlling the visibility of class variables and functions. For example, if a function in a PHP class object is only used by that class object, then it does not need to be callable from outside the class. The second principle is that simple is more secure. The larger and more complex that a system becomes, the harder it becomes to secure it. Larger systems have more areas of concern and more complex systems increase the likelihood of bugs or making mistakes.

The third principle is to never trust users. You should be paranoid. Most users aren't hackers, but some are, and it's tough to tell the difference. That applies to the general public primarily, but you also need to use caution with employees, admin users, and contractors. The principle of least privilege can help you here as well and you need to use caution offline as well as online. If you put a lot of effort into securing your site, but then you email a password to someone, back up your database to a thumb drive, or leave your computer logged in overnight, you end up circumventing all of your security efforts.

The fourth principle is to expect the unexpected. Security is not reactive. Our goal is to try and prevent the crime before it happens. In order to do that, you're going to want to consider all the unexpected things that might happen. You'll want to consider what we refer to as edge cases. What are all the possible things that a user might try to do? What are the ways they might try and get around your security? You'll want to get creative as you try to expect the unexpected. The next principle is defense in depth. This is basically layered defenses, redundant security, making sure that if one security mechanism gets circumvented, there's something else behind it that also will help you be protected.

You want to make sure that you think about your people, your technology, and your operations inside the organization and how all three of those can work together to create a secure environment. The next principle is security through obscurity. The idea is that more information benefits hackers who are trying to get into your site. So you want to limit the amount of exposed information. Limit the amount of feedback that you give them. A good example of this is a website's log in form. You shouldn't tell the user whether or not their username or their password was the incorrect piece of information.

Doing so will allow a hacker to keep trying until they can find a valid username and then start to try and find a valid password. But if you simply tell them there was no match, then they don't have any idea which one was the wrong piece of information. For security,, it's important to understand the difference between blacklisting and whitelisting. A blacklist is a reference list for what is forbidden. A whitelist is a reference list for what is permitted. These are opposites, but they're not equal. And the reason why is because whitelisting means restricted by default, and that's a more secure approach.

So in general, if you can, when making the choice, choose to define the things that are permitted instead of just listing the things that are forbidden. And last of all, you'll want to make sure that you map the exposure points and data passageways in your application. Think about the incoming data through URLs, forms, cookies, sessions, and the outgoing data, what goes out to the user as HTML or JavaScript, and consider what paths data takes as it travels from a user through the application and into a database.

Or from the database back to the application and back to the user. Remember our equation, awareness plus protection equals security. We want to have not just awareness of the outside threats that are coming in, we want to have awareness of what our application actually looks like so that we know where our points of vulnerability might be. These general principles are going to guide all the choices that we're going to make in the upcoming chapters.

Show transcript

This video is part of

Image for Creating Secure PHP Websites
Creating Secure PHP Websites

41 video lessons · 4653 viewers

Kevin Skoglund
Author

 

Start learning today

Get unlimited access to all courses for just $25/month.

Become a member
Sometimes @lynda teaches me how to use a program and sometimes Lynda.com changes my life forever. @JosefShutter
@lynda lynda.com is an absolute life saver when it comes to learning todays software. Definitely recommend it! #higherlearning @Michael_Caraway
@lynda The best thing online! Your database of courses is great! To the mark and very helpful. Thanks! @ru22more
Got to create something yesterday I never thought I could do. #thanks @lynda @Ngventurella
I really do love @lynda as a learning platform. Never stop learning and developing, it’s probably our greatest gift as a species! @soundslikedavid
@lynda just subscribed to lynda.com all I can say its brilliant join now trust me @ButchSamurai
@lynda is an awesome resource. The membership is priceless if you take advantage of it. @diabetic_techie
One of the best decision I made this year. Buy a 1yr subscription to @lynda @cybercaptive
guys lynda.com (@lynda) is the best. So far I’ve learned Java, principles of OO programming, and now learning about MS project @lucasmitchell
Signed back up to @lynda dot com. I’ve missed it!! Proper geeking out right now! #timetolearn #geek @JayGodbold
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ .

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed Creating Secure PHP Websites.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member ?

Become a member to like this course.

Join today and get unlimited access to the entire library of video courses.

Get started

Already a member?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferences from the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Learn more, save more. Upgrade today!

Get our Annual Premium Membership at our best savings yet.

Upgrade to our Annual Premium Membership today and get even more value from your lynda.com subscription:

“In a way, I feel like you are rooting for me. Like you are really invested in my experience, and want me to get as much out of these courses as possible this is the best place to start on your journey to learning new material.”— Nadine H.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.