Hello there,
I'm going to build my first website soon (first serious site anyway, other than the odd few pages), probably using PHP and MySQL (I won't explain what for, it's kind of boring). This site has opened my eyes to the potential number of exploits in a newb's website and I was wondering if there are any good guides on the net that go through, step by step, to check for vulnerabilities. Obviously I'll apply what I've found here (sanitising inputs etc.) but I'm still pretty new to it all.
Also, when I'm done securing the new site is it legitimate to post the address to it here and ask if people want to have a go at helping me find holes? I'm obviously not asking for people to do my security checking for me, but input from other people is always great.
Tom
Securing My Website
Forum rules
Older HTS users: Be nice to the new people.
NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.
Older HTS users: Be nice to the new people.
NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.
3 posts • Page 1 of 1
Securing My Website
by TomSharp on Sat May 17, 2008 6:16 pm
([msg=2671]see Securing My Website[/msg])
- TomSharp
- New User
- Posts: 3
- Joined: Thu May 15, 2008 8:46 am
- Blog: View Blog (0)
Re: Securing My Website
by Hunt21 on Tue May 20, 2008 2:55 am
([msg=2870]see Re: Securing My Website[/msg])
I don't have any specific pages for you but from my own coding experience the numero uno thing you want to watch out for is SQL injection or allowing the user to input malicious code that will be used in a mysql_query();.
To avoid this you need to refine and user inputted data. With php I recommend creating a function like this:
Also, be sure to NOT use globally registered variables. When dealing with variables you are snagging from the URL bar use $_REQUEST['myVar']; and try to turn off register_globals in the PHP.INI file.
Hope this helps you at least somewhat.
To avoid this you need to refine and user inputted data. With php I recommend creating a function like this:
- Code: Select all
function encodeData( $input ){
return addslashes( htmlentities( $input ) );
}
Also, be sure to NOT use globally registered variables. When dealing with variables you are snagging from the URL bar use $_REQUEST['myVar']; and try to turn off register_globals in the PHP.INI file.
Hope this helps you at least somewhat.
- Hunt21
- New User
- Posts: 4
- Joined: Sun May 18, 2008 11:35 am
- Blog: View Blog (0)
Re: Securing My Website
by jetbackwards on Sun Jun 01, 2008 11:10 am
([msg=3895]see Re: Securing My Website[/msg])
Trust nothing that comes from the user i.e. sanitize all input to your pages coming from $_GET, $_POST, $_COOKIE etc.
mysql_real_escape_string() is really useful for protecting SQL queries from injection, i would also addslashes() anything that could end up in a require() or include() statement.
A lot of security breaches come from skiddies who copy standard SQL injections into site after site, looking for a vulnerable one - just sanitizing inputs will go a long way to protecting your site.
Keep in mind that the weakest link in the security chain is (unfortunately) you - scrutinize your configurations to make sure that there are no gaps (turn off register_globals, directory listings, url_fopen, url_include) that could compromise you.
If you have specific queries about security (that you don't want to be public), then PM me...
mysql_real_escape_string() is really useful for protecting SQL queries from injection, i would also addslashes() anything that could end up in a require() or include() statement.
A lot of security breaches come from skiddies who copy standard SQL injections into site after site, looking for a vulnerable one - just sanitizing inputs will go a long way to protecting your site.
Keep in mind that the weakest link in the security chain is (unfortunately) you - scrutinize your configurations to make sure that there are no gaps (turn off register_globals, directory listings, url_fopen, url_include) that could compromise you.
If you have specific queries about security (that you don't want to be public), then PM me...
- jetbackwards
- New User
- Posts: 36
- Joined: Mon May 26, 2008 5:16 am
- Blog: View Blog (0)
3 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests