What are the most important things to do to make a safe PHP/MySQL website?

This is a bit of an opinion question, but overall, what safety precautions would be ideal for a PHP-based website using a MySQL database? This site would inc开发者_如何学JAVAlude registration and login, and need to protect users' personal information.

You have to know main things:

• Users are stupid like monkeys. They click anything anytime.
• HTTPS
• Good programing skills
• HASH + salt
• PHP bugs
• All possible ways of hacking website over PHP and MySQL. Fight fire with fire.

This is a very huge question, and there are dozens of books written solely to answer this question, but here are some important things:

1- Never EVER trust user input data ($_GET and $_POST). Always sanitize everything before printing/saving to the database.

2- Avoid concatenating parameters directly on the SQL. Always use $db->bindParam() or some other similar function.

3- Never store plain text passwords. Use a hashing algorithm always. And to be safe, use a Salt as well.

4- Always expect the worst scenario to happen. Because it will.

5- Read something about XSS, CSRF. And make sure you guard your app against those.

6- Get experienced =)

Golden rule of secure web development: Filter Input, Escape Output

Here is a nice article that sums it up actually: http://shiflett.org/blog/2005/feb/more-on-filtering-input-and-escaping-output

The main problems are:

SQL injection XSS when outputting data

Here are some links:

How does the SQL injection from the "Bobby Tables" XKCD comic work?
How to prevent SQL injection with dynamic tablenames?
htmlentities() vs. htmlspecialchars()
Salting my hashes with PHP and MySQL
How should I ethically approach user password storage for later plaintext retrieval?

Read them I hope you will follow the advice in the many answers.

A lot of answers came in while I was typing this. I guess they type faster. :-p

All are great answers and I don't know how you'll choose the best one, but most are about the same.

1. NEVER STORE PASSWORDS IN PLAIN TEXT. Use SHA-2 algorithms with a salt. Store the hash and the salt.

2. Never trust user input. Sanitize everything that goes into the database before you store it AND anytime you use it.

3. Use prepared statements. Look into PDO.

4. Use HTTPS when possible.

These are just a few things to bare in mind. Most important of all Study you @ss off. :-)