Pa help namn sa php.. hingi sana ako ng Idea.. Gumagawa ako ng alumni website para sa thesis namin.. ang title ng system ko ay alumni tracer: a content management system.. ano bang best method para alumni lang ang makaka register sa web ko.. kasi ung web ko open to everyone . kaso gusto ng panel na dapat alumni lang ang makaka register at dapat malakas ang security ng web ko.... thx sana ma help niyo ko..
Don't get discouraged, meron paraan.
0. Your first line of defense is securing your web site using a SSL certificate. Ibig saihin nyan instead na http ang connection magiging https. If you have access sa web server pwede mo i-configure yun to redirect http to https automatically. The best part is makukuha mo na ang certificate for FREE. No catches, No tricks. Just free. You can create your own certificate
here. You'll need a *nix type box to run the script so you can generate the certificate.
More info on how to install
here and
here. Although the instructions on the second link is more easy to follow, it is intended for nginx web server. Pero same concept din sa Apache.
1. Next. You can use
recaptcha sa register page ng web site mo. This is to prevent robots from creating dummy accounts.
2. Kung alumni lang ang dapat magregister, yung email ng school nyo ang kailangan gamitin ng mga bagong users. You have to regex filter the email string. Then mag send ka ng email sa new users containing a link for verification.
3. Kung may root privileges ka sa server disable mo yung mga ports other than 80, 443 and 22. Palitan mo yung default port ng ssh server eg. 54322.
4. Your web server should have the minimum amount of modules. Wag dagdagan kung hindi kailangan.
5.
Avoid sql injection.
6. Choose a very good password for your database server. Also, remove default schemas.
7. Enforce strict passwords for your users eg. alpha-numeric and use at least 1 symbol.
8. Code defensively. Handle all possible errors as many as you can think of. If you can avoid reading/writing to the filesystem, do so. If you can't, at least limit access to one directory. Make this directory readable and writeable to the owner of the web server process.
9. Speaking of web server, make sure it is not run as root. Create a separate non-privileged account with no shell (Assuming you're on *nix)
10. Log all connections.
These are some of the things I can think of on the top of my head. I'm sure it's not comprehensive. Someone will probably post those I missed.