This was the meat and potatoes of my reply:
First and foremost SSL.
You can run a lot of sites well for $20 / month by hosting them on a VPS server like Linode. http://linode.com/
Then StartSSL has free bona fide certificates you can use. You'll need to pay for wildcard SSL or the newer enhanced SSL stuff. https://www.startssl.com/
Next you need to build pages that won't kill your back end.
The reform library will help with XSS and a lot of 'jackassery'. http://code.google.com/p/reform/
I also like jQuery validator to let my users know they screwed up in my forms as they are absentmindedly (or purposefully) trying to wreak havoc. http://jqueryvalidation.org/
Last, your back end.
The reform library from above again can help you here. Make sure that you are getting all the information that you need or break. Make sure all the information you are getting is of the right type, acceptable values, and/or devoid of clever h4ckr codez or break. If your variable $pets is expecting 'dog' or 'cat', break on 'hamster' or anything that isn't 'cat' or 'dog'. You're expecting text, break on numbers. You're expecting numbers, break on text. (Your web form validation front end side on the client browser should be preventing submissions of bad data-- so you may be dealing with intentional jackassery in these last two cases.)
I like PropelORM which will help you with PDO access of your database using parameterized SQL. Also worth looking at is Doctrine, another ORM tool. http://propelorm.org/
What is parameterized SQL you ask? I am glad you asked. It helps prevent SQL injection. http://bobby-tables.com/
Use bcrypt password hashing. It was a third-party library which made cracking passwords more 'expensive' as each password had it's own salt and multiple rounds of hashing the resulting hash. It has since been built into more recent releases of PHP, as of PHP5 or so. !!!!DO NOT STORE PASSWORDS IN PLAIN TEXT THAT ARE EASILY HUMAN READABLE!!!! Users are stupid, they use the same password on a lot of stuff. Don't give the hackers an easy time breaking into your users' bank accounts and emails. http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php
These tools are a healthy start. Happy hacking.
Edit: I just got flagged for spam. Probably all the links-- but this is the stuff I use and there are no self-serving query strings that are referrals to myself for any paid services.
- Self-EmployedProgrammer, 2009 - 2011
- Too many
- Lakeland Community CollegeIT
- Cleveland State UniversityAccounting
Toddler Paint (w/ Child Lock) - Apps on Android Market
An easy to use, kid friendly paintbrush / sketch app with toddler lock An easy to use, kid friendly paintbrush / sketch app with toddler loc
Hash of Codes: A RAZR, Motorola phones and Hashcode: State of the Union
As most of you who follow me on Twitter have heard, I'm getting a RAZR today. It was a generous gift by the DroidRZR.com community, and
Welcome to the Rebellion: Hacking bit.ly and goo.gl
Hacking bit.ly and goo.gl. bit.ly & goo.gl users: you can add another query string pair at the end of your link. Any unused pairs are us