I've taken over development on a site and already found a half dozen ways to crack it just going through it, and am working on fixing them and adding in more security. Here's a list of what I'm doing, do you have any suggestions for more?
- all sql strings are created using sprintf("string %s", mysql_real_escape_string($var))
- all form actions are post
- form data is set very cautiously (the previous version I was working with set the value of the password on the login page if the password was entered incorrectly!)
- I'm using an OO design, and checking permissions in each function.
- session data is stored on the client side as cookies and compared with the server side at the same time as checking permissions
- cookies expire after 3.5 hours
- if a call is made to an area permissions aren't granted, the IP address is logged. If an IP has X 'access denied's, it is blocked for 24 hours. If it has Y instances of being blocked, it is banned. I'm thinking X=Y=3, but I'd appreciate suggestions and reasoning for the values. I know it's possible to change IP addresses, but it can help stop the less-skilled hacker or those just looking for holes.
- database username and password are stored below the public level in an oddly named file
- user passwords are encripted
Further suggestions? Anything obvious I've missed?