Groups | Search | Server Info | Login | Register
Groups > comp.lang.php > #19616
| Path | csiph.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail |
|---|---|
| From | "J.O. Aho" <user@example.net> |
| Newsgroups | comp.lang.php |
| Subject | Re: New php project from scractch, PDO |
| Date | Sat, 7 Mar 2026 13:19:50 +0100 |
| Lines | 86 |
| Message-ID | <n12jf6F74pdU1@mid.individual.net> (permalink) |
| References | <10njo8g$3n983$2@dont-email.me> <n05rh8Fkfm1U1@mid.individual.net> <10ogu0k$1ekv9$1@dont-email.me> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=UTF-8; format=flowed |
| Content-Transfer-Encoding | 7bit |
| X-Trace | individual.net xNZPQ9l3khKg2qdiHyd2QQ0kH3H+NR9BEPxyu83gu017rdjCPG |
| Cancel-Lock | sha1:GVnY16t8BWxS/0EbnECGJp9A4vs= sha256:LIO9tY8W/2qw/NF0TegNonQObAHlIGs/oyPZqukm7Us= |
| User-Agent | Mozilla Thunderbird |
| Content-Language | en-US-large |
| In-Reply-To | <10ogu0k$1ekv9$1@dont-email.me> |
| Xref | csiph.com comp.lang.php:19616 |
Show key headers only | View raw
On 07/03/2026 11.17, ^Bart wrote: > > Thanks for your reply! :) > >> I think this is more about layering the application, the frontend I >> guess is written in PHP while the backend is written in Python. > > Frontend and backend (the admin backpanel) are written in php and I > think I understood I should use PDO... As this ain't anymore about python, remove that part in the subject and crossposting to python newsgroup. >> I would keep that separation and only allow the backend to access the >> database, also keep it on a such level that the backend don't trust >> the data from the frontend, that all data is validated before use, >> sure the frontend shouldn't trust the users and validate their input. > > I need to know how to plan my project to improve security, my website > and mobile app will be like a social network, I'll have (I hope!) a lot > of users which will have their data showed on the frontpanel and a > backpanel where the admin will manage all data and "power users" a piece > of data. Keep in mind backoffice part (what the admin uses) ain't the same as backend, backend is tend to be a "service" which talks with the database layer, sanitize the data from front end before making queries to the database, filters/reformat the data to something easier to handle by the front end. If things goes wrong the backend will send error message that don't leak details of the fault (log it to disk or remote log server). When using input, use PDO::prepare as this will help on with the risk of SQL injection. The two frontends (client site and backoffice) will send requests to the backend to fetch the data it needs, sure the data should be validated before sending to the backend. Display somewhat generic error messages if backend says things went wrong. Don't forget to verify that the request to the backend is always done by an authenticated and authorized user. Passwords should always be hashed with a "random" salt, do have a a length requirement on the password, as length tend in the end what makes the difference on brute force attacks. Keep in mind that you don't have to build your own verification/sanitation for everything, a lot of things are already built in into PHP, you can use filter_var. >> Sure you could have been able to write everything in one or the other >> language (python can do both frontend and backend, as you can do with >> php too even less common), but I doubt you have the power to decide this. > > Now I'm writing the project in my free time and I can do everything but > I'd like to do the best things for security, I'm a Unix like users from > 1996, I use Debian from 2003 and also Kali for pentest. If you feel uncertain with security, you could try out OWASP Top 10 The Game https://top10thegame.org/en/ You have also this interactive site based on the above game https://www.opensecproject.com For the project itself I would go with the Cornucopia https://cornucopia.owasp.org Don't forget using something like phpunit to have unitests, this way when you do a change you can easily see that the change don't break expected results. Also it can be good to unitest the database procedures, for t-sql you have tsql that can be used for unitesting things in the database MySQL: https://dev.mysql.com/doc/dev/mysql-server/latest/PAGE_UNIT_TESTS.html Poistgres: https://pgtap.org https://medium.com/@vbilopav/unit-testing-and-tdd-with-postgresql-is-easy-b6f14623b8cf Most of that you may already know quite well. -- //Aho
Back to comp.lang.php | Previous — Previous in thread | Find similar
New php project from scractch, PDO or psycopg? ^Bart <none@none.it> - 2026-02-24 09:41 +0100
Re: New php project from scractch, PDO or psycopg? Arne Vajhøj <arne@vajhoej.dk> - 2026-02-24 07:40 -0500
Re: New php project from scractch, PDO or psycopg? "J.O. Aho" <user@example.net> - 2026-02-24 15:39 +0100
Re: New PHP project from scratch, PDO or psycopg? Lawrence D’Oliveiro <ldo@nz.invalid> - 2026-02-24 20:29 +0000
Re: New php project from scractch, PDO or psycopg? ^Bart <none@none.it> - 2026-03-07 11:17 +0100
Re: New php project from scractch, PDO "J.O. Aho" <user@example.net> - 2026-03-07 13:19 +0100
csiph-web