Jump to content

Question

Posted

So I'm working on a Social Network called MyLovr.com and it will most likely run on FuelPHP, I would've said WP + BP, but I prefer something clean in the framework, from scratch at least, and I intend to run the server on PHP 5.4, as we have the fastest server Host Gator could offer, and I prefer bleeding edge, but stable.

The social network is mostly a dating site, but I have more for it in the future as I want to make it a tool for those who need to find themselves before they reach out to others.

Share this post


Link to post
Share on other sites

55 answers to this question

  • 0

Posted

[quote name='Mr.XXIV' timestamp='1356402655' post='595414004']
So I'm working on a Social Network called MyLovr.com and it will most likely run on FuelPHP, I would've said WP + BP, but I prefer something clean in the framework, from scratch at least, and I intend to run the server on PHP 5.4, as we have the fastest server Host Gator could offer, and I prefer bleeding edge, but stable.

The social network is mostly a dating site, but I have more for it in the future as I want to make it a tool for those who need to find themselves before they reach out to others.
[/quote]

interesting! but I hate most frame works with php :p I normally do it all from scratch using PDO.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='SPEhosting' timestamp='1356403085' post='595414022']
interesting! but I hate most frame works with php :p I normally do it all from scratch using PDO.
[/quote]

Trust me, you'll love Fuel! :D Simply because of their security features, I feel safe with em'. :)

[list]
[*]Input filtering
[*]URI filtering
[*]XSS filtering
[*]Output encoding
[*]CSRF token protection
[*]SQL injection prevention
[/list]
What I actually want to try is using the most secure hash possible when working with user passwords, if that's considered necessary, but I know it's a bit longer than MD5.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Mr.XXIV' timestamp='1356403332' post='595414028']
Trust me, you'll love Fuel! :D Simply because of their security features, I feel safe with em'. :)[list]
[*]Input filtering
[*]URI filtering
[*]XSS filtering
[*]Output encoding
[*]CSRF token protection
[*]SQL injection prevention
[/list]
What I actually want to try is using the most secure hash possible when working with user passwords, if that's considered necessary, but I know it's a bit longer than MD5.
[/quote]
you can use sha512 with salt for passwords passwords need to be hashed ... I would also consider encrypting the WHOLE database its a little heavier on the server but if you have alot of personal data you dont want any leads of people to start reverse / social engineering happens

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='SPEhosting' timestamp='1356403713' post='595414040']
you can use sha512 with salt for passwords
[/quote]

Ahh yea! I hear it's actually better than bcrypt. I just need to use the right package for FuelPHP, also with the ability to login with Facebook and Twitter. I think NinjAuth was it. As far as login and getting user info from the database, that'll be my biggest concern for, I need a team for securing and escaping any code that's been created along the way.

How would you want to go about securing the whole database? Besides also making use of SSL later on.
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Mr.XXIV' timestamp='1356403981' post='595414044']
Ahh yea! I hear it's actually better than bcrypt. I just need to use the right package for FuelPHP, also with the ability to login with Facebook and Twitter. I think NinjAuth was it. As far as login and getting user info from the database, that'll be my biggest concern for, I need a team for securing and escaping any code that's been created along the way.

How would you want to go about securing the whole database? Besides also making use of SSL later on.
[/quote]

personally ... I would just use PSK with a selected key of choosing ... then all you have to do is keep that key safe.... PDO also stops SQ injection as well as MYSQL escape string ... but no need to use escape string when using pdo I beleive

Share this post


Link to post
Share on other sites
  • 0

Posted

PDO, like mysql and mysqli does not stop SQL injection by default, you have to use it properly to help reduce your SQL injection risks, study the PHP documentation well.
You're basically asking for someone to team up with to make an entire website... As the single creator of a pretty unsuccessful but large-scaled social networking site... Read my signature, two people won't get a large successful site done quickly, 4 years now and it's still not complete.
If you're planning to make a commercial site, then you'd need to stay current with the times and keep up with the large sites, for example.

SHA512 multiple times with a unique salt for each password, you can store the password in sql like this; <hashed password>:<salt> then get the password field from the database, hash the supplied password and see if it matches the hashed password or not.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='n_K' timestamp='1356407298' post='595414084']
PDO, like mysql and mysqli does not stop SQL injection by default, you have to use it properly to help reduce your SQL injection risks, study the PHP documentation well.
You're basically asking for someone to team up with to make an entire website... As the single creator of a pretty unsuccessful but large-scaled social networking site... Read my signature, two people won't get a large successful site done quickly, 4 years now and it's still not complete.
If you're planning to make a commercial site, then you'd need to stay current with the times and keep up with the large sites, for example.

SHA512 multiple times with a unique salt for each password, you can store the password in sql like this; <hashed password>:<salt> then get the password field from the database, hash the supplied password and see if it matches the hashed password or not.
[/quote]

me and a partner completed a social networking site in 6 months ... we still need to cross some Ts but its pretty much there ... sad thing is we just dont have the cash or time to promote it seeing as we are both in studies .... and I know it does not protect by default but if you code it right then its fine :p trust me I had trouble with my own code at one point because i had to o something with certain expressions but my code blocked it all..... so we put it on hold untill we are done with studies

Share this post


Link to post
Share on other sites
  • 0

Posted

Because FuelPHP has so much that covers many of the risks in several functions, I say it could be done a bit faster, we just need to be able to do the basics of gaining/entering user info and than advancing & escaping the same functions later on, that's why I prefer doing a invite only testing for that reason.

Share this post


Link to post
Share on other sites
  • 0

Posted

What I would strongly recommend to you is that, although is difficult to use because you'll need to learn to use the framework, is to use a CMS such as Drupal.

You'll get most of the features out of the box, and the only thing you'll need to do is learn how to write modules.

But, if used correctly, you can speed up at a quite astonishing speed. Furthermore it will be extremely flexible since you can manipulate all the permissions for your users.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Jose_49' timestamp='1356434904' post='595414472']
What I would strongly recommend to you is that, although is difficult to use because you'll need to learn to use the framework, is to use a CMS such as Drupal.

You'll get most of the features out of the box, and the only thing you'll need to do is learn how to write modules.

But, if used correctly, you can speed up at a quite astonishing speed. Furthermore it will be extremely flexible since you can manipulate all the permissions for your users.
[/quote]

I'm honestly more of a WordPress guy than Drupal. FuelPHP can contain many (optional and made by the staff & community) modules and engines that should be carried, including permissions for the users. It's best creating it from scratch on this FuelPHP, because CMS's are honestly a waste of space when it comes to available features and how it's meant to be used.

Also, remember, I plan on using the latest of PHP 5.4 and eventually 5.5 when it's made stable next year, so some things won't come as clean if I use CMS's.

Share this post


Link to post
Share on other sites
  • 0

Posted

Use Symfony.

Share this post


Link to post
Share on other sites
  • 0

Posted

From various comments in this thread, I can see why I'd never ask certain people for system architecture advice...

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='chAos972' timestamp='1356440916' post='595414550']
Use Symfony.
[/quote]

It looks like Symfony's respectively way ahead as far as being up-to-date with web development. Never heard of them and yet they look more advanced as a framework.

[quote name='Kami-' timestamp='1356441418' post='595414560']
From various comments in this thread, I can see why I'd never ask certain people for system architecture advice...
[/quote]

You're right, but everywhere there is an argument for what's best towards something, but that's what makes startups and changes more reasonable and digestible.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Kami-' timestamp='1356441418' post='595414560']
From various comments in this thread, I can see why I'd never ask certain people for system architecture advice...
[/quote]

No kidding.

[quote name='SPEhosting' timestamp='1356403085' post='595414022']
interesting! but I hate most frame works with php :p I normally do it all from scratch using PDO.
[/quote]
If you're writing PHP from scratch you'l failing from the start. You'll want a good framework - Symfony is what we used at my last job.

[quote name='n_K' timestamp='1356407298' post='595414084']
SHA512 multiple times with a unique salt for each password, [b]you can store the password in sql like this; <hashed password>:<salt>[/b] then get the password field from the database, hash the supplied password and see if it matches the hashed password or not.
[/quote]
Why on earth would you do this instead of creating a separate column. Wow.

[quote name='Jose_49' timestamp='1356434904' post='595414472']
What I would strongly recommend to you is that, although is difficult to use because you'll need to learn to use the framework, is to use a CMS such as Drupal.
[/quote]
Anyone suggesting Drupal is out of their mind, to put it bluntly.

[quote name='Mr.XXIV' timestamp='1356403981' post='595414044']
Ahh yea! I hear it's actually better than bcrypt. I just need to use the right package for FuelPHP, also with the ability to login with Facebook and Twitter. I think NinjAuth was it. As far as login and getting user info from the database, that'll be my biggest concern for, I need a team for securing and escaping any code that's been created along the way.

How would you want to go about securing the whole database? Besides also making use of SSL later on.
[/quote]
A good framework will handle quite a lot of this for you. And you secure the database by permission, encrypting it is was overkill and wouldn't even do anything since the private key needed to read it would be easily accessible even in a hack.

Symfony uses a salt from memory, and then hashes the password 1000 times over (or any number you want) before storing it.
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='chAos972' timestamp='1356441760' post='595414564']
No kidding.


If you're writing PHP from scratch you'l failing from the start. You'll want a good framework - Symfony is what we used at my last job.


Why on earth would you do this instead of creating a separate column. Wow.


Anyone suggesting Drupal is out of their mind, to put it bluntly.


A good framework will handle quite a lot of this for you. And you secure the database by permission, encrypting it is was overkill and wouldn't even do anything since the private key needed to read it would be easily accessible even in a hack.

Symfony uses a salt from memory, and then hashes the password 1000 times over (or any number you want) before storing it.
[/quote]

I respect your thoughts on this, I'm definitely looking for the most advanced framework possible to make all of this happen through php 5.4 & how to make this really secure, but fast at the same time. This is it, I'll go with Symfony.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='chAos972' timestamp='1356441760' post='595414564']
If you're writing PHP from scratch you'l failing from the start. You'll want a good framework - Symfony is what we used at my last job.

Why on earth would you do this instead of creating a separate column. Wow.
[/quote]
Writing PHP from scratch = fail? You're talking pure crap.
Also remember various 'frameworks' have license restrictions, if they don't follow them expect to be screwed over.
Plus you'd have to keep the framework updated in case any security flaws come out, and you learn NOTHING about security using a framework unless you made the framework.

Seperate column slows things down, not very noticable in a small database but when you've got millions of rows and a high database usage, you'd notice it.
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

I must say, this is a social network to be worked on, so i do require the fastest but really secure database created.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='n_K' timestamp='1356474603' post='595415262']
Writing PHP from scratch = fail? You're talking pure crap.
Also remember various 'frameworks' have license restrictions, if they don't follow them expect to be screwed over.
Plus you'd have to keep the framework updated in case any security flaws come out, and you learn NOTHING about security using a framework unless you made the framework.
[/quote]
I work professionally as a software engineer so I assure you I'm not talking pure crap. Trying to do anything in bare PHP will more than likely end up in a unmaintainable mess. An MVC framework will compartmentalise everything quite nicely and make future changes much quicker and simpler.

How long would it take you to write your own role-based permissions system, or multi-step forms, or a CRUD control panel? With a framework those could just be config file changes, or a single command line to auto-generate a template-based basic control panel to get you start.

Symfony is supplied under the MIT license, free for commercial and non-commercial use.

Yes, you have to keep a framework updated. If you're writing code properly it should be rather straightforward as your code is separate from the framework's. Updating Symfony is just a simple git pull.

Learning about security isn't the purpose of a framework - you learn about security by learning about security (and experience, of course). I'd put my eggs in the thoroughly unit-tested, open source framework basket than anything written adhoc anyday.

[quote name='n_K' timestamp='1356474603' post='595415262']
Seperate column slows things down, not very noticable in a small database but when you've got millions of rows and a high database usage, you'd notice it.
[/quote]

Ridiculous. For one, string operations are quite expensive, and two, if your database is noticably slower because you added a single extra column then you've probably got other problems like misconfiguration, no-cache, or simply bad hardware.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='chAos972' timestamp='1356491352' post='595415618']
Ridiculous. For one, string operations are quite expensive, and two, if your database is noticably slower because you added a single extra column then you've probably got other problems like misconfiguration, no-cache, or simply bad hardware.
[/quote]

It's a good thing I have the fastest server Host Gator could offer. Sticking with Symfony since their working with the latest PHP, I'm gonna learn more about their system while I do want a bit of help to get all the plans going for the site and it's features.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Mr.XXIV' timestamp='1356491806' post='595415622']
It's a good thing I have the fastest server Host Gator could offer. Sticking with Symfony since their working with the latest PHP, I'm gonna learn more about their system while I do want a bit of help to get all the plans going for the site and it's features.
[/quote]

Symfony's very powerful, but it was very unweildy the first time I was introduced to it at that internship, later job. It took about 6 months to be comfortable working with it. There's also the 1.x versions which you might find simpler than the restructured Symfony 2.

Share this post


Link to post
Share on other sites
  • 0

Posted

It seems to show similarity to FuelPHP but with more useful functions as if I could work with Pagoda Box.

If anything, I should be able to get a good feel of it when January hits. :)

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Mr.XXIV' timestamp='1356492029' post='595415632']
It seems to show similarity to FuelPHP but with more useful functions as if I could work with Pagoda Box.

If anything, I should be able to get a good feel of it when January hits. :)
[/quote]

Symfony has caching functionality, and caching on different "slots" of the layout. I wrote something were a couple of columns pulled data from twitter/fb which are cached for a few mins, for example.

I spoke with my old company again last week and they actually said they've moved to some caching server software (whose name I forget) that sits in front of the HTTP server and it resulted in 90% of the requests hitting the cache and never touching a backend or database which improved performance significantly. Of course this always depends on how frequently you want things to update.

With that and improvements they took on a company's servers from 4 HTTP, 8 MySQL (the homepage had like 3000 queries, which they also fixed) down to like 1 HTTP and 4 MySQL. They're migrating it to AWS now too so they can scale things up or down much more quickly.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='chAos972' timestamp='1356492343' post='595415638']
Symfony has caching functionality, and caching on different "slots" of the layout. I wrote something were a couple of columns pulled data from twitter/fb which are cached for a few mins, for example.

I spoke with my old company again last week and they actually said they've moved to some caching server software (whose name I forget) that sits in front of the HTTP server and it resulted in 90% of the requests hitting the cache and never touching a backend or database which improved performance significantly. Of course this always depends on how frequently you want things to update.

With that and improvements they took on a company's servers from 4 HTTP, 8 MySQL (the homepage had like 3000 queries, which they also fixed) down to like 1 HTTP and 4 MySQL. They're migrating it to AWS now too so they can scale things up or down much more quickly.
[/quote]

That makes perfect sense, since this is based on public information being updated, I want to cache-on-update. Not only that, I want to set the cache at levels where, if it's the user profile, cache level is 1, but where you're searching, cache will be at level 3 as there's only an importance for looking for the user itself instead of the info, yet.


I use CloudFlare, so I originally had a plan on saving the requests that way, but I do need something more detailed since privacy is an issue, so not everything can be handled outside the box.

Share this post


Link to post
Share on other sites
  • 0

Posted

Honestly, Symfony is one hell of a framework. Currently taking a look at the profiler and there are lot of things I don't get, even Authentication is what I'm truly trying to understand along with the fact that there's index.

Or seeing it as an MVC, I suppose I could create index.php through the controller. But yet, I don't have enough knowledge yet to do so, so I'm pretty much not trying to touch the system til I understand the basics.

Share this post


Link to post
Share on other sites
  • 0

Posted

+1 for Symfony2. All the other frameworks are a little outdated. There seems to be a lot of people who build sites for hobbies; professional developers will point you to Symfony2 or ZendFramework since they're pretty much the most serious frameworks right now. The rest can be arguably as good, but as far as the latest and greatest Symfony2 or ZendFramework are your bet.

I may join up because I've been developing projects that don't need a framework of such scale. It'd be nice to get to work more with Symfony2.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.