Have some questions about web development (PHP and MySQL)

Question

I've done a bit of web programming (using PHP and MySQL), but nothing too large in scale. I've been thinking about how someone would create a social networking type of site and I've ran into some problems.

• How would you safely and securely store passwords in MySQL? What kinds of encryption would you use?
• If users were allowed to upload pictures, would it be better to store them in the database or have them uploaded directly to the server?
• What open source web applications (such as WordPress) would you recommend I read and study (preferably something simple but well written)?

Anything taught in class or written in books just don't seem to translate well into real production code. They just seem like very basic examples.

Thanks!

Answer 1

Regarding password storage: use one-way salted hashing for security. Here's an article on why.

Answer 2

1. Store a salted hash. I would personally move away from md5 and using something like sha instead. sha1 + salt will hold out for a while =]

2. If you store the images as blobs in the db, you'll probably have an easier time in the future backing them up (along w/the db, fetching them, etc). But really, they'll be damn fast on the file system too, but I'd prefer them in the database as I have lots of code that interfaces w/the db and I'm comfortable working in that area. That's up to you.

3. I'm not sure that wordpress will help you to build a social networking site...but its still good to read other's code. I'd take a look at some books on amazon on architecture just to get your mind thinking large scale. Also, take a look at some design pattern books.

I'd also look into something like the Zend Framework or CakePHP. Cake will probably get you up and running rather fast, but I prefer Zend, as its very powerful and doesn't force you to code a certain style. CakePHP is kinda of like rails for PHP.

You'll also want to get decent at security, both server and client side, watching for stuff like session hijacking, sql injection, xss, brute force attempts, remote includes, uploaded file exploits, etc.

Social sites offer many attack vectors to crackers.

Resources:

• http://www.amazon.com/Pro-PHP-Security-Chris-Snyder/dp/1590595084/ref=sr_1_1?

• http://www.amazon.com/PHP-Objects-Patterns-Practice-Second/dp/1590599098/ref=sr_1_3?ie=UTF8&s=books&qid=1265662237&sr=1-3ie=UTF8&s=books&qid=1265662204&sr=8-1

• http://www.amazon.com/Building-Scalable-Web-Sites-Applications/dp/0596102356/ref=sr_1_1?ie=UTF8&s=books&qid=1265662256&sr=1-1

• And your local PHP mailing list / meetup.