How can I secure my application?

[Porte]

Hello guys,

I am looking for help from the programming experts here (and I know they are a lot).

I'm in the process of coding an application with php & mysql databases..I've already planned for the code but I'm so scared because the application will send and receive very sensitive information (e.g. transactions) and I do not know (generally) how can I secure my php-based application and prevent hacking attempts into it?

Is it so difficult for me to secure my application and remove any backdoors in it?
And what is your advice..should I wait until I learn security in php? or is it something I can plug in the code during work?

I know the question sounds so general, so I'm asking only general solutions..or useful tutorials for this case.

(I have no access over server configuration..so I need solutions in the code itself and not in php.ini for example)

--
One more thing:
can something like SourceGuardian fully protect my php application?
---

Best Regards!
:wave:

 

[Jim_]

I'd suggest you read through this: http://phpsec.org/projects/guide/

 

[Porte]

Very thankful for this, I've added to favorites and will read this guide soon!

Thanks.

 

[Eric]

The link Jim_ posted is definitley a good read. What I'd concern myself with the most is SQL Injection and XSS. Maybe incorporate a similar function to this, this is what I've been using for a bit:

<?php

function sanitize($value)
{
  $value = (!get_magic_quotes_gpc()) ? trim(addslashes(strip_tags($value))) : trim(strip_tags($value));
  $search = array('@<script[^>]*?>.*?</script>@si',
                  '@<applet[^>]*?>.*?</applet>@si',
                  '@<object[^>]*?>.*?</object>@si',
                  '@<iframe[^>]*?>.*?</iframe>@si',
                  '@<style[^>]*?>.*?</style>@si',
                  '@<form[^>]*?>.*?</form>@si',
                  '@<[\/\!]*?[^<>]*?>@si',
                  '@([\r\n])[\s]+@',
                  '@&(amp|#38);@i',
                  '@&(lt|#60);@i',
                  '@&(gt|#62);@i'
                 );
  $replace = array('','','','','','','','','','','');
  $value = preg_replace($search, $replace, $value);
  return $value;
}

?>

Hope that helps

 

[Tree]

Wow, thanks 2v. I'm going to use that now

 

[Porte]

Thanks V2!

 

[Palyriot]

thanks a lot SV, always been too lazy to make one of those. gonna give you some rep.

 

[Eric]

No prob, glad to help

 

[Tree]

Could you explain some parts of the code please?

What does "@si" do?
What is the point of putting "@" a the beginning of every string?

Thanks 2v!