PHP Security - Introduction

Security and Usability

It is unfortunate but true that every additional feature that you add to your processing to increase security will result in a corresponding decrease in usability.

What this means is that you can never make your script 100% secure because doing so will also result in its being 0% usable.The only 100% secure PHP script is the one you don't place on a computer and so no one will have any access to run it in the first place.

Instead of aiming for making your script completely secure you need to decide on just where the line between security and usability needs to be for each particular script. It will almost certainly vary depending on just what your script is doing as to how secure or how usable that the particular script needs to be.A script that allows access to money needs to be far more secure than a blog or forum needs to be.Compromises to security in some scripts may be inconvenient whereas similar compromises in other scripts may be catestrophic.

The types of things you need to secure against will also differ in importance. Some forms of code injection need to be prevented regardless of what your script is supposed to be doing because the harm such injection causes is independent of the nature of the original script. Just how secure you try to make other things such as login scripts will depend much more on what would be exposed if the security is compromised.

When determining what security features you should include in your processing beyond the basics will therefore vary depending on just exactly what it is that your script is supposed to do.

Yet another thing that should have an effect on your decisions about security is just how knowledgeable that your regular users are expected to be. If your users are expected to know a fair bit about how computers work then you may be able to do away with some of those features of the script that make it easier for the less knowledgeable users to interact correctly with the script which may also be providing someone trying to break into the script with clues as to how they can achieve their goal.

It is well worth spending some time at the start deciding what you know about the sort of people you expect to use your script and how much damage will be caused if various sorts of security hole are exploited so as to determine just how your particular script needs to deal with the compromise between security and usability.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow