Security in a Task Management System

Asked

Viewed 78 times

4

This is something that raises many questions. I am creating a Task Management System. Most fields are INPUTS or SELECTS FORMS. Most of these fields users only interact when they have already logged in to the system. Except in the Login and Password Recovery area. Save files sent by users in binary form in database columns.

Utilizo PHP, Javascript (varying with JS Pure and jQuery) with plenty AJAX and Mysql Database.

My question is this::

  • What forms of security can I introduce to the System to make it safer against possible attacks or malicious users ?

  • I know we can use filters for login and password questions (FILTER_INPUT, PHP FILTER_SANITIZE), but there is something else I can do ?

  • Do I need to worry about Security in the SELECT fields as well ? (I ask this because SELECTS are filled in with data that comes from the database. Then users will have no way to change the SELECTS OPTIONS values. I mean, common users).

SUMMING UP: You have something useful to indicate and add to a system made in PHP and Javascript with Mysql Database ?

Thanks for your attention. Thank you!

  • 3

    Hello James! You should never trust anything that comes from frontend. Even if select is populated with data from the database, it is entirely possible for a malicious user to send any value to your application. I’ve seen that you care about things like SQL Injection. If you are not using any framework and are only using PDO, make sure you are always using Binding queries. In addition, it is essential to have your project with https when published. And always validate the data coming from the frontend.

  • I use the same languages to develop my applications and usually do many input treatments, as @Guilhermeassemany said: "You should never trust anything that comes from the frontend"whatever the value or way of receiving the data they should always be processed, use functions using regex and native functions of PHP to do the treatment, in cases of checkboxes and selects as the system should already know the values, I check if they are the ones that were arranged by the system.

  • I avoid allowing characters like = ? " ', and if I leave them for some special reason, I always use a way to convert them to avoid attacks.

  • The funny thing is that FILTER_VALIDATE_EMAIL allows several special characters besides "@". I can’t understand that. Do you know any page (in Portuguese) that has a more detailed explanation about this type of filter ? I say this because the sites I saw, including the php documentation, I found the explanation very generic.

  • Another thing, in the case of the <form> date fields, I use the FILTER_SANITIZE_STRING ?

  • Also, you need to use this filter in $_SESSION ? What type of filter do I use for $_SESSION ?

Show 1 more comment

1 answer

1

Here are some things I’ve done on my app recently:

  • Update version of PHP
  • properly configure htaccess (this I think helps a lot)
  • Validate data entry against XSS
  • Apply Prepared statements to mysqli queries

Browser other questions tagged

You are not signed in. Login or sign up in order to post.