55 replies to this topic

[Mr.XXIV]

So I'm working on a Social Network called MyLovr.com and it will most likely run on FuelPHP, I would've said WP + BP, but I prefer something clean in the framework, from scratch at least, and I intend to run the server on PHP 5.4, as we have the fastest server Host Gator could offer, and I prefer bleeding edge, but stable.

The social network is mostly a dating site, but I have more for it in the future as I want to make it a tool for those who need to find themselves before they reach out to others.

[SPEhosting]

Mr.XXIV, on 25 December 2012 - 02:30, said:

So I'm working on a Social Network called MyLovr.com and it will most likely run on FuelPHP, I would've said WP + BP, but I prefer something clean in the framework, from scratch at least, and I intend to run the server on PHP 5.4, as we have the fastest server Host Gator could offer, and I prefer bleeding edge, but stable.

The social network is mostly a dating site, but I have more for it in the future as I want to make it a tool for those who need to find themselves before they reach out to others.

interesting! but I hate most frame works with php I normally do it all from scratch using PDO.

[Mr.XXIV]

SPEhosting, on 25 December 2012 - 02:38, said:

interesting! but I hate most frame works with php I normally do it all from scratch using PDO.

Trust me, you'll love Fuel! Simply because of their security features, I feel safe with em'.

• Input filtering
  
• URI filtering
  
• XSS filtering
  
• Output encoding
  
• CSRF token protection
  
• SQL injection prevention

What I actually want to try is using the most secure hash possible when working with user passwords, if that's considered necessary, but I know it's a bit longer than MD5.

[SPEhosting]

Mr.XXIV, on 25 December 2012 - 02:42, said:

Trust me, you'll love Fuel! Simply because of their security features, I feel safe with em'.

• Input filtering
  
• URI filtering
  
• XSS filtering
  
• Output encoding
  
• CSRF token protection
  
• SQL injection prevention

What I actually want to try is using the most secure hash possible when working with user passwords, if that's considered necessary, but I know it's a bit longer than MD5.

you can use sha512 with salt for passwords passwords need to be hashed ... I would also consider encrypting the WHOLE database its a little heavier on the server but if you have alot of personal data you dont want any leads of people to start reverse / social engineering happens

[Mr.XXIV]

SPEhosting, on 25 December 2012 - 02:48, said:

you can use sha512 with salt for passwords

Ahh yea! I hear it's actually better than bcrypt. I just need to use the right package for FuelPHP, also with the ability to login with Facebook and Twitter. I think NinjAuth was it. As far as login and getting user info from the database, that'll be my biggest concern for, I need a team for securing and escaping any code that's been created along the way.

How would you want to go about securing the whole database? Besides also making use of SSL later on.

[SPEhosting]

Mr.XXIV, on 25 December 2012 - 02:53, said:

Ahh yea! I hear it's actually better than bcrypt. I just need to use the right package for FuelPHP, also with the ability to login with Facebook and Twitter. I think NinjAuth was it. As far as login and getting user info from the database, that'll be my biggest concern for, I need a team for securing and escaping any code that's been created along the way.

How would you want to go about securing the whole database? Besides also making use of SSL later on.

personally ... I would just use PSK with a selected key of choosing ... then all you have to do is keep that key safe.... PDO also stops SQ injection as well as MYSQL escape string ... but no need to use escape string when using pdo I beleive

[n_K]

PDO, like mysql and mysqli does not stop SQL injection by default, you have to use it properly to help reduce your SQL injection risks, study the PHP documentation well.
You're basically asking for someone to team up with to make an entire website... As the single creator of a pretty unsuccessful but large-scaled social networking site... Read my signature, two people won't get a large successful site done quickly, 4 years now and it's still not complete.
If you're planning to make a commercial site, then you'd need to stay current with the times and keep up with the large sites, for example.

SHA512 multiple times with a unique salt for each password, you can store the password in sql like this; <hashed password>:<salt> then get the password field from the database, hash the supplied password and see if it matches the hashed password or not.

[SPEhosting]

n_K, on 25 December 2012 - 03:48, said:

PDO, like mysql and mysqli does not stop SQL injection by default, you have to use it properly to help reduce your SQL injection risks, study the PHP documentation well.
You're basically asking for someone to team up with to make an entire website... As the single creator of a pretty unsuccessful but large-scaled social networking site... Read my signature, two people won't get a large successful site done quickly, 4 years now and it's still not complete.
If you're planning to make a commercial site, then you'd need to stay current with the times and keep up with the large sites, for example.

SHA512 multiple times with a unique salt for each password, you can store the password in sql like this; <hashed password>:<salt> then get the password field from the database, hash the supplied password and see if it matches the hashed password or not.

me and a partner completed a social networking site in 6 months ... we still need to cross some Ts but its pretty much there ... sad thing is we just dont have the cash or time to promote it seeing as we are both in studies .... and I know it does not protect by default but if you code it right then its fine trust me I had trouble with my own code at one point because i had to o something with certain expressions but my code blocked it all..... so we put it on hold untill we are done with studies

[Mr.XXIV]

Because FuelPHP has so much that covers many of the risks in several functions, I say it could be done a bit faster, we just need to be able to do the basics of gaining/entering user info and than advancing & escaping the same functions later on, that's why I prefer doing a invite only testing for that reason.

[Jose_49]

What I would strongly recommend to you is that, although is difficult to use because you'll need to learn to use the framework, is to use a CMS such as Drupal.

You'll get most of the features out of the box, and the only thing you'll need to do is learn how to write modules.

But, if used correctly, you can speed up at a quite astonishing speed. Furthermore it will be extremely flexible since you can manipulate all the permissions for your users.

[Mr.XXIV]

Jose_49, on 25 December 2012 - 11:28, said:

What I would strongly recommend to you is that, although is difficult to use because you'll need to learn to use the framework, is to use a CMS such as Drupal.

You'll get most of the features out of the box, and the only thing you'll need to do is learn how to write modules.

But, if used correctly, you can speed up at a quite astonishing speed. Furthermore it will be extremely flexible since you can manipulate all the permissions for your users.

I'm honestly more of a WordPress guy than Drupal. FuelPHP can contain many (optional and made by the staff & community) modules and engines that should be carried, including permissions for the users. It's best creating it from scratch on this FuelPHP, because CMS's are honestly a waste of space when it comes to available features and how it's meant to be used.

Also, remember, I plan on using the latest of PHP 5.4 and eventually 5.5 when it's made stable next year, so some things won't come as clean if I use CMS's.

[+chAos972]

Use Symfony.

[Kami-]

From various comments in this thread, I can see why I'd never ask certain people for system architecture advice...

[Mr.XXIV]

chAos972, on 25 December 2012 - 13:08, said:

Use Symfony.

It looks like Symfony's respectively way ahead as far as being up-to-date with web development. Never heard of them and yet they look more advanced as a framework.

Kami-, on 25 December 2012 - 13:16, said:

From various comments in this thread, I can see why I'd never ask certain people for system architecture advice...

You're right, but everywhere there is an argument for what's best towards something, but that's what makes startups and changes more reasonable and digestible.

[+chAos972]

Kami-, on 25 December 2012 - 13:16, said:

From various comments in this thread, I can see why I'd never ask certain people for system architecture advice...

No kidding.

SPEhosting, on 25 December 2012 - 02:38, said:

interesting! but I hate most frame works with php I normally do it all from scratch using PDO.

If you're writing PHP from scratch you'l failing from the start. You'll want a good framework - Symfony is what we used at my last job.

n_K, on 25 December 2012 - 03:48, said:

SHA512 multiple times with a unique salt for each password, you can store the password in sql like this; <hashed password>:<salt> then get the password field from the database, hash the supplied password and see if it matches the hashed password or not.

Why on earth would you do this instead of creating a separate column. Wow.

Jose_49, on 25 December 2012 - 11:28, said:

What I would strongly recommend to you is that, although is difficult to use because you'll need to learn to use the framework, is to use a CMS such as Drupal.

Anyone suggesting Drupal is out of their mind, to put it bluntly.

Mr.XXIV, on 25 December 2012 - 02:53, said:

Ahh yea! I hear it's actually better than bcrypt. I just need to use the right package for FuelPHP, also with the ability to login with Facebook and Twitter. I think NinjAuth was it. As far as login and getting user info from the database, that'll be my biggest concern for, I need a team for securing and escaping any code that's been created along the way.

How would you want to go about securing the whole database? Besides also making use of SSL later on.

A good framework will handle quite a lot of this for you. And you secure the database by permission, encrypting it is was overkill and wouldn't even do anything since the private key needed to read it would be easily accessible even in a hack.

Symfony uses a salt from memory, and then hashes the password 1000 times over (or any number you want) before storing it.