PHP Security Pt 2

In this PHP Security Video I show you how hackers break into web applications and how to secure your site. I cover SQL Injection, Code Injection, Encryption, Data Validation, Email Verification
All Code is Here






37 responses to “PHP Security Pt 2”

  1. Eric k. Gloto Avatar

    thanks very much sir !!
    but i am been wondering why u didn't used prepared statement in ur various sql queries
    and also u didn't used mysqli but u used mysql why ??
    pls help explain

  2. Sumit Singh Avatar

    Very good tutorial, I am going to update my shitty code. But I am still asking, is multilayer security necessary ? I mean, they say, queries through real_escape_string or prepared statements are as secure as it can be.

  3. odunlade oluwaseun Avatar

    please sir can you do a tutorial on building a safe contact form? I started learning php a week ago and am stocked on that. You are an inspiration to many in this part of my world. kudos

  4. khalid Qweder Avatar

    Perfect tutorial.

  5. biff biffson Avatar

    Dude, I have seen several of your videos and playlists, and you are a mad wizard on that keyboard. You're amazing. Thank you for your work.

  6. Hadi Mohammadzadeh Avatar

    First of all many thanks for the awesome video.
    You mentioned it is better to let the phone number as the last filed in Insert command for securing against injection. What happen if someone wants to try all fields, as there are not unlimited fields in the form.

  7. Pengguna PHP Avatar

    why 'escape_data' function not 'built in' in php?

  8. William Bailes Avatar

    great video
    for the random order for the $query, could the variable_registration be the last value due to it is set by the server and not by a form

  9. rising surfer Avatar

    would you say that the filter_var($email, FILTER_VALIDATE_EMAIL) is useless and use regular expressions instead to validate an email?

  10. rising surfer Avatar

    can you just use die() instead of trigger_error?

  11. bujashaka Avatar

    is numrows safe way? can hacker somehow set it to 1 ? should i trust login check from db numrows as the way?

  12. anthony villaluz Avatar

    ahm sir.  .do you know a site that is free web hosting site? 🙂

  13. Derek Banas Avatar

    No sorry. I plan on covering Zend some day because I use it in the real world, but I'll be making Android apps and games for a while

  14. Virtous Avatar

    Hey Derek do you have any tutorials on the Zend framework?

  15. Derek Banas Avatar

    Yes this needs to be dramatically updated. This video is pretty old. I now use frameworks

  16. Mike Reed Avatar

    Yikes! A lot wrong here.

    1) Not using PDO or MySQLi? Prepared statements are the best way to defeat a SQL injection.
    2) You're not hashing/salting your password entries? You're in a lawsuit if your database ever get breached.
    3) Always generate a form in JS/Jquery. The form you're using now is wide open to BOTS. Use it as a honeypot.
    4) Don't EVER have the user/password to your database in the actual php source code. Use a config file and block access to it in the .htaccess.

  17. bobby blue Avatar

    Thanks.Waiting for the Zend tutorial. :))

  18. Derek Banas Avatar

    Yes using zend makes it much easier to secure a site. That is what I have used for years to make sites. I'll do a tutorial on it soon

  19. selfhelpguy Avatar

    Great video. I have a question. When you use a powerful framework like Zend or Symfony, do you think it's safe to let the framework handle the security?

  20. dashbyictfd Avatar

    It isn't a case of picking, I was just unsure. I have read some of the notices on your site RE passed questions that have been asked but while going through your code I just noticed that and was wondering as I thought it would lose the value of the first variable when taking the value of the second. Thanks

  21. Derek Banas Avatar

    Yes you can pass the same variable and check for the same variable. If I was to do this again I wouldn't have done it this way, but I made this back in the day when I focused more on making thing understandable over making them right while explaining why I was doing what I was doing

  22. Derek Banas Avatar

    You could just write to a text file anytime somebody does something odd that could be a security threat

  23. dashbyictfd Avatar

    I have just copied the code for both tutorials, I am getting undefined variable so to get round this I am initializing them at the top of the page, 1 by 1 the errors are going, is this the right thing to do? Also in your code line 149

    if ($fn && $ln && $e && $p && $fn && $s && $c && $st && $z && $ph) {
    $query = "SELECT user_id FROM users WHERE email='$e'";

    there are two $fn entries, can you advise is this just a typo or have/can you use the same variable for 2 entries?


  24. dashbyictfd Avatar

    You mention having a log should someone try to enter malicious code, what is the best way to implement this and how. Your recommendations.

  25. Derek Banas Avatar

    I'm going to completely redo this tutorial at some point because I use frameworks for security now

  26. dashbyictfd Avatar

    Where you use encryption SHA is that SHA1 or 2, if it is 1 could you do a tutorial on SHA2 where you can use the strongest standard available to us? Thanks

  27. Derek Banas Avatar

    Thank you 🙂 I do my best

  28. Derek Banas Avatar

    I agree and I wish I would have taken this tutorial to completion. Years ago when I made this I tended to rush parts which was a mistake that I haven't made for at least the last 1 1/2 years. I used to not focus on making perfect tutorials like I do now

  29. Phoenix Avatar

    In actuality, MD5 is a pseudo-random function. While deterministic, it does produce output that is, to a certain degree, indistinguishable from randomness (although MD5 is broken, you should use a hash function like SHA-256 or RIPEMD-160. Regardless, the output of MD5 in this case will only be as strong as its input, hence MD5 is unnecessary. For your purposes, the output of mt_rand() should be sufficient.

  30. Derek Banas Avatar

    You're very welcome 🙂 I'm glad you are enjoying it. I'll be updating it soon with more on PHP frameworks and social network stuff

  31. Rakesh Kumar Avatar

    Thank you sir for such nice video tutorial. Really it is creating interest PHP. I am learning PHP because of ur videos. Thx a lot. Really you are php mentor for me.

  32. Derek Banas Avatar

    Thanks for the input. This video is getting a bit dated since it was made so long ago

  33. Aki Nova Avatar

    MD5 is not "another random string", but a crypto hash and therefore the opposite of being random. Besides that, in PHP it's advisable using the marsenne twister RNG mt_rand() over rand() and initializing a seed for the RNG yourself.

  34. Derek Banas Avatar

    You're very welcome 🙂 Yes any added checks will almost always improve security

  35. 0u73rh34v3n Avatar

    Very nice tutorial.
    I just had an idea for an added precaution for a row insertion.
    I'd probably have the last value being inserted into the table to be something that isn't pulled from input fields. This could be something like a timestamp being CURRENT_TIMESTAMP or whatever.

    Thanks again for the tutorial. Very informative.

Leave a Reply

Your email address will not be published. Required fields are marked *