Security For Open Source Web Projects?
PoissonPilote writes "I'm currently developing a multi-player, browser-based game, using the good old HTML, JavaScript, PHP, and MySQL combination. Progress is good so far, and the number of players is slowly but steadily increasing. At the beginning of the project, I decided to put the entirety of my game under the MIT license, so that anyone could study the code or even start their own server for the game. However, with the increasing popularity of my project, I am starting to worry about security issues. Even though I consider myself decent at web development and am pretty sure I'm not making any classic mistakes (SQL injection, cross-site scripting, URL forgery, etc.), I am no web security expert. I didn't find any relevant examples to compare my game to, as most open source games are written in a compiled language, and no web server is at stake in those cases. Some web developer friends told me not to release the source code at all; others told me to release it only when the game will be shut down. Naturally, I'm not satisfied by either of these solutions. What approach would you recommend?"
His he developping another fucking shitty "games" (cuz really its not) where you have to spam your own profile to get stuffs ?
He's the cancer killing webdevelopment.
It has to be said: Don't use PHP if you value security or maintainability.
Yes, you can build a decent framework on top of PHP, so that you won't be vulnerable to SQL injections. By the time you do, you lose any speed advantage (or "ease-of-use" advantage) PHP had over Ruby on Rails. Given that, if you think Rails is too slow, your only real alternative is something like Java, and I'm not even sure Java with a full stack is any better.
Yes, you need to know what you're doing. The question is whether the platform makes it easier or harder for you to do it right. Rails has built-in countermeasures to request forgery, and even the built-in ORM makes it rare that you have to (or want to) write raw SQL, let alone use string interpolation. HTML-escaping in your templates is a single keystroke, and you can get template engines that make it the default.
That said, depending how much of this game has been written, porting to another language may be out of the question. But let's put it this way: Would you write a web app in a language that makes it possible for you to implement a buffer overflow? That is, would you use C?
Don't thank God, thank a doctor!
95% of PHP coders are interested in solving a problem, not security. This means that the PHP community is less likely to find and complain about insecure implementation from the core PHP team.
Obviously, there are exceptions to this statement, just like fantastic, secure code can be written in VB or Python or Ruby. It just happens that isn't the usual outcome, but it could happen. It could, seriously.