Securing My Website

A place where newbies can post without (much) fear of reprisal. All mission posts should still go in the applicable forum.
Forum rules
Older HTS users: Be nice to the new people.

NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.

Securing My Website

Post by TomSharp on Sat May 17, 2008 6:16 pm
([msg=2671]see Securing My Website[/msg])

Hello there,
I'm going to build my first website soon (first serious site anyway, other than the odd few pages), probably using PHP and MySQL (I won't explain what for, it's kind of boring). This site has opened my eyes to the potential number of exploits in a newb's website and I was wondering if there are any good guides on the net that go through, step by step, to check for vulnerabilities. Obviously I'll apply what I've found here (sanitising inputs etc.) but I'm still pretty new to it all.
Also, when I'm done securing the new site is it legitimate to post the address to it here and ask if people want to have a go at helping me find holes? I'm obviously not asking for people to do my security checking for me, but input from other people is always great.
Tom
TomSharp
New User
New User
 
Posts: 3
Joined: Thu May 15, 2008 8:46 am
Blog: View Blog (0)


Re: Securing My Website

Post by Hunt21 on Tue May 20, 2008 2:55 am
([msg=2870]see Re: Securing My Website[/msg])

I don't have any specific pages for you but from my own coding experience the numero uno thing you want to watch out for is SQL injection or allowing the user to input malicious code that will be used in a mysql_query();.

To avoid this you need to refine and user inputted data. With php I recommend creating a function like this:

Code: Select all
function encodeData( $input ){

return addslashes( htmlentities( $input ) );

}


Also, be sure to NOT use globally registered variables. When dealing with variables you are snagging from the URL bar use $_REQUEST['myVar']; and try to turn off register_globals in the PHP.INI file.

Hope this helps you at least somewhat.
Hunt21
New User
New User
 
Posts: 4
Joined: Sun May 18, 2008 11:35 am
Blog: View Blog (0)


Re: Securing My Website

Post by jetbackwards on Sun Jun 01, 2008 11:10 am
([msg=3895]see Re: Securing My Website[/msg])

Trust nothing that comes from the user i.e. sanitize all input to your pages coming from $_GET, $_POST, $_COOKIE etc.

mysql_real_escape_string() is really useful for protecting SQL queries from injection, i would also addslashes() anything that could end up in a require() or include() statement.

A lot of security breaches come from skiddies who copy standard SQL injections into site after site, looking for a vulnerable one - just sanitizing inputs will go a long way to protecting your site.

Keep in mind that the weakest link in the security chain is (unfortunately) you - scrutinize your configurations to make sure that there are no gaps (turn off register_globals, directory listings, url_fopen, url_include) that could compromise you.

If you have specific queries about security (that you don't want to be public), then PM me...
jetbackwards
New User
New User
 
Posts: 36
Joined: Mon May 26, 2008 5:16 am
Blog: View Blog (0)



Return to NZone

Who is online

Users browsing this forum: No registered users and 0 guests