php - Please, do I need to protect password before entry into my server provider mysql -
i designing small social community site before came across "password hashing" when researching. hosted site on hosting site, so, don't know if it's job protect users' passwords or job secure databases. please if don't understand question, ask can explain it.
short answer: both.
it both job , job secure database. should plan 1 or both of failing @ this.
access control
your job in securing database starts can manage: credentials use, both , application making.
everything gives kind of "privileged access" should set require login, , should involve strong password (i recommend using random password generators and/or password manager). may include not limited to:
- the database login, both , application
- ftp
- ssh (consider looking key based authentication this)
- admin accounts on website you're building
the database should require password connected to, , password should strong (i recommend random password generator this). same goes logins have server itself, may include things ftp , ssh, , logins application (such admin account) you're building, other applications such php admin.
application security
your role application developer secure application contacts database. point of view of securing database, worried sql injection. mention familiar i'll skip basics.
strongly consider using parameterized queries or orm.
if rely on escaping parameters every time write query, need make 0 mistakes database secure. single mistake have serious consequences.
using parameterized queries or orm can take care of you, don't need worry it, , less have sql injection vulnerabilities result.
you need follow other best security practices when building application - example, remote code execution vulnerabilities result in database access if no sql injection vulnerabilities present.
planning breach anyway
given how common sql injection vulnerabilities are, it's best practice try mitigate consequences as possible. password hashing comes it.
a brief summary: objective make time consuming attacker determine passwords given data stored in database. best options things bcrypt , scrypt. want secure, scrutizined, , in particular: slow.
avoid fast things such md5 , sha family.
appendix: if manage database server
in shared hosting arrangement, host running database server you. if you're managing - example, if had download , install database server application - have work do.
you need keep software database - , in fact software on server, including operating system - date ensure have latest security patches.
Comments
Post a Comment