Back

Secure Website Development Considerations

5 May 2009

34SP.com Staff

Two important considerations in the website development process are security and stability. Whether your applications are running from a standard website hosting account, a reseller hosting account, or on a virtual server, there are a few best practices to observe. This post discusses some suggestions to consider for making a secure and stable web development application. The following four items will be covered:

1. Complex Ambiguous Passwords
2. Database Structure and Optimization
3. Server Side versus Client Side
4. A Hello World PHP/MySQL application

Complex Ambiguous Passwords

FTP and database credentials protect your site from hackers and opportunists. Unauthorized access to files and databases can corrupt your site or put your clients at risk of malicious attacks. When purchasing a Professional website hosting or Business hosting plan, VPS or server make sure your passwords are highly complex – a mixture of letters and numbers and longer than 7 characters. Don’t use a password from another third party login if you can help it. Passwords should not be obvious or personal to yourself, for example using your surname is not secure.

Database passwords are not used as frequently as FTP and will be stored in a server side script somewhere within your application – with this in mind make your database password as ambiguous and complex as possible, I recommend something completely random and as long as your Plesk configuration will allow, generally the password limit is 12 characters.
If you forget your password(s) at any time contact our support team and they will resend a welcome mail to the registered email address.

Database Structure and Optimization

When naming anything in a database, whether it is databases, tables or fields make sure the names are a sensible length and meaningful. For example our database will be called ”hello_world” and the table called ”greeting”. Do not use spaces in database, table or field names.

• Primary and multi keys,
• Field types and lengths,
• Future conscious architecture.

Keys tell your database what fields are going to be commonly used in your queries for conditional query results (clauses). This post will discuss the most common keys – Primary and Multi. Primary keys should be auto incrementing (automatically stepping up 1 with each new row) and should be the definitive point of reference when using update, delete and select queries. Tables can only have one primary key. Multi keys allow you to have the same quick comparison as Primary without the auto incrementation. You can have more than one Multi key within one table. Appropriate use of keys will make tables substantially faster especially as your database grows, use the optimize table command to speed up your queries on larger tables.

When creating a database table you should take great care to use appropriate data types for each field. For example numeric fields should be either int, decimal or float, short mixed strings varchar, dates should be date or datetime and long strings text and so on. The length of some fields, for example varchar, reserves a set of potential bytes within memory so don’t be too generous with field lengths.

In time you may want to display more information relating to your existing database entries, for example showing the date/time a particular row was last updated. When constructing a table take some time to consider such future requirements, research MySQL data types and functions.

Server Side versus Client Side

Client side technologies and languages such as AJAX and Flash can help website users enjoy their site experience and in moderation assist with navigation and understanding of your website content. Much of the client side media is limited to the users desktop configuration, Internet security policies and browser settings. At no time should a website designed for the general public rely solely on Flash, Javascript or AJAX – for example having the primary navigation in Flash is not a good idea. Another big no no is using Javascript to hand over data to databases of server side languages that could otherwise read directly from the HTML.

Server side languages and programs are protected from the Client side and usually respond to the client with a XHTML reply. As a result of this architecture server side data handling is tremendously more secure than client side data handling. In summary do as much as you can on the server (PHP, MySQL, ASP etc). Only use the client side to output HTML, non essential effects and design facilitation (AJAX, Javascript, CSS etc).

A Hello World PHP/MySQL Application

The first thing I do is build the database structure, you can do this on MySQL command line, through PHPMyAdmin or another third party program. I prefer using MySQL command line. Here is the raw SQL for our Hello World database:

create database hello_world;

grant all privileges on hello_world.* to 'USERNAME'@'blog.34sp.com' identified by 'PASSWORD';

connect hello_world;

create table greeting (
id int(11) auto_increment,
message varchar(50),
stamp timestamp,
primary key(id));

insert into greeting set message = 'Hello World! (MySQL)';

Firstly we create the database, if you are using Plesk you will have to use site admin to create your database and user before you can access the database. Next we grant permissions on our database user (change the username and password to something more secure), connect to the database and create the table within the hello_world database, if you are using PHPMyAdmin simply paste the create table and insert statements into the SQL section of the aforementioned database.

Next use an FTP client to access your hosting on the same domain housing your database, I recommend using WinSCP for uploading or PSPad for live FTP editing. Create a file called index.php in your httpdocs directory, open the file and paste the following PHP code into this file:

<?php
// the credentials to access our database
$username = "USERNAME"; // change the username and password
$password = "PASSWORD";
$host = "blog.34sp.com";
$database = "hello_world";
// make a passive connection to our database
$connection = mysql_pconnect($host, $username, $password);

// select the hello world database
$db = mysql_select_db($database, $connection);

// write a basic SQL query to grab our greeting
$sql = "SELECT message FROM greeting";
$ret = mysql_query($sql); // execute the SQL
if (mysql_num_rows($ret)>0) { // make sure we have a result

extract(mysql_fetch_array($ret)); // bring results into PHP
echo $message; // output the message to the client side

}
?>

If you open a browser and navigate to your hosting domain – you should see Hello World! (MySQL) in your browser. That’s it! Remember to spend more time on database considerations and structure to ensure stable and secure websites and applications. Happy web developing!