Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community!

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial


J.C. Hiatt
J.C. Hiatt
9,393 Points

Database Security

I've been going through the PHP Learning Adventure and am almost finished with it. I've learned a great deal but am wondering if someone could point me in the right direction on something specific:

I am building a back-end portal for an insurance administration company where their clients can login and view their current policy information, make changes to their policy (only via simple email form, office workers would actually make the change), and also view some resource documents.

Based on everything I've learned from the PHP Learning Adventure, I feel fairly confident to build the majority of this. However, I am wondering about a couple of things:

  1. If I'm storing all the client information into the database, can anyone point me in the right direction on how to store this information securely? What would some common practices be? This is not a huge insurance company, just a small business that does consulting for business benefits plans, so I'm not thinking they need an Enterprise level security or anything. Either way, can anyone chime in with their thoughts?

  2. How would I use PHP/MySQL with an SSL Certificate?

Thanks in advance.

1 Answer

Hi there,

I've only been learning Php for 3 months, so I'm by no means an expert. Hopefully though I can point you in the right direction at least & help in some way.

As far as database security & php, as far as I have seen via youtube, google searches, its highly advised to learn PDO. I'd love to shoot across all the links to vids for you to learn but if I'm honest you have to watch a variety of them & take the bits out relevant to you. In case that has confused you, in PDO whenever you do select, insert etc etc into a database, you do what is called prepared statements. The process is as follows & unfortunately not all programmers are following this when posting vids or posting on forums (which is why I don't want to send you links without it all being relevant) Below is what I believe to be the correct process;

  1. Prepare the statement
  2. Bind the variable to the parameter (apparently stops SQL injection)
  3. Execute

Now if you want to bring the data & echo it, you have to fetch the data otherwise you get an error to string conversion or something, sorry been a while since I saw it but it had me confused for a while until I figured it out.

Lastly I'd just like to stress the importance of validating/sanitizing the data before you even let it touch the above. Php has some built in features, which I honestly couldn't comment on, I have personally chose regular expressions which there is a vid on youtube I have found very useful. You can read more about the pre-built features on php.net

I think thats about as far as I can help at the moment but please bare in mind I've only been learning 3 months myself so don't take my advice as law & keep an open mind to more experienced people. Hopefully I've set you on a safe path though.

http://www.youtube.com/watch?v=wtQvqh_CTiE <--- Regular expressions, watch part 8 too.

http://www.youtube.com/watch?v=TXyC2U-t6Wc <----- It's not the world's best PDO tutorial but might be useful.

Good luck & if I think of anything else I'l shoot it across.