jamesxg1 Posted August 26, 2009 Share Posted August 26, 2009 Hiya peeps, I dont know if this is allowed (If not mods please remove or move this thread), But i need some help, Basically i have nearly finished my project and i need to know some security tips i have read alot of tutorials and to be honest none of them are any good, Heres what i do already for instance if im using mysql i use, mysql_real_escape_string(trim(addslashes(strip_tags($varhere)))); Ect ect, What else is there security wise i should know basic or advanced , I want to make my site something like eBay for instance pretty much un-impenetrable lol, How would i do something like this ?, Many thanks, James. Quote Link to comment https://forums.phpfreaks.com/topic/172004-please-post-anything-security-preventation-related-here-i-need-this-help/ Share on other sites More sharing options...
AviNahum Posted August 26, 2009 Share Posted August 26, 2009 some basic stuff... if you have any incoming data from inputs, make it safe by using htmlspecialchars $name = htmlspecialchars("$_POST['name']", ENT_QUOTES); if you have members system, use salt to encode there password: http://us.php.net/manual/en/function.crypt.php thats what i can offer you Quote Link to comment https://forums.phpfreaks.com/topic/172004-please-post-anything-security-preventation-related-here-i-need-this-help/#findComment-906956 Share on other sites More sharing options...
ignace Posted August 26, 2009 Share Posted August 26, 2009 some basic stuff... if you have any incoming data from inputs, make it safe by using htmlspecialchars $name = htmlspecialchars("$_POST['name']", ENT_QUOTES); if you have members system, use salt to encode there password: http://us.php.net/manual/en/function.crypt.php thats what i can offer you It would help if you would provide when he should use and why Quote Link to comment https://forums.phpfreaks.com/topic/172004-please-post-anything-security-preventation-related-here-i-need-this-help/#findComment-906964 Share on other sites More sharing options...
mikesta707 Posted August 26, 2009 Share Posted August 26, 2009 I'm pretty sure htmlentities is the same as specialchars, but does more, so I would use htmlentities instead. basically htmlentities will take the input string, and turn any html that the user has put there into html entities (so instead of the html executing on the page, it will just show up on the page.) Basically the reason if I write <a href="whatever">taco</a> instead of seeing a link named taco, you see the HTML itself. This is a must if you have any sort of user input system (IE forums, comments, etc.) encrypting your passwords is a very good idea, as encrypted passwords are far harder to crack than non-encrypted passwords. Making your site "impenetrable" will be difficult because website security goes well beyond just PHP, but with these tips you can make your site pretty much safe from most SQL injection hackers. Most sites still have vulnerabilites (even bank websites) but those vulnerabilities are so small that no one but the best "hackers" can usually exploit them. As long as you always sanitize whatever the user gives you, you should generally be fine Quote Link to comment https://forums.phpfreaks.com/topic/172004-please-post-anything-security-preventation-related-here-i-need-this-help/#findComment-906970 Share on other sites More sharing options...
ignace Posted August 26, 2009 Share Posted August 26, 2009 The single most important rule is to validate your input use the knowledge you posses about an object and apply it. How long should it be, may it be? What may it contain and what not (are there exceptions) and does it contain anything at all? By using these kind of questions and applying the answers will keep you from doing overtime. Quote Link to comment https://forums.phpfreaks.com/topic/172004-please-post-anything-security-preventation-related-here-i-need-this-help/#findComment-906973 Share on other sites More sharing options...
jamesxg1 Posted August 26, 2009 Author Share Posted August 26, 2009 some basic stuff... if you have any incoming data from inputs, make it safe by using htmlspecialchars $name = htmlspecialchars("$_POST['name']", ENT_QUOTES); if you have members system, use salt to encode there password: http://us.php.net/manual/en/function.crypt.php thats what i can offer you Hiya mate, Is this for HTML inputs ?, Many thanks, James. Quote Link to comment https://forums.phpfreaks.com/topic/172004-please-post-anything-security-preventation-related-here-i-need-this-help/#findComment-906978 Share on other sites More sharing options...
jamesxg1 Posted August 26, 2009 Author Share Posted August 26, 2009 I'm pretty sure htmlentities is the same as specialchars, but does more, so I would use htmlentities instead. basically htmlentities will take the input string, and turn any html that the user has put there into html entities (so instead of the html executing on the page, it will just show up on the page.) Basically the reason if I write <a href="whatever">taco</a> instead of seeing a link named taco, you see the HTML itself. This is a must if you have any sort of user input system (IE forums, comments, etc.) encrypting your passwords is a very good idea, as encrypted passwords are far harder to crack than non-encrypted passwords. Making your site "impenetrable" will be difficult because website security goes well beyond just PHP, but with these tips you can make your site pretty much safe from most SQL injection hackers. Most sites still have vulnerabilites (even bank websites) but those vulnerabilities are so small that no one but the best "hackers" can usually exploit them. As long as you always sanitize whatever the user gives you, you should generally be fine Hiya mate, I generally try to crunch down on what the user is inputting and what is outputted but i am not quite good with security i will post one of im 'included' files i have made could someone point out any security issues/warnings/hazards for me please. Many thanks, James. Quote Link to comment https://forums.phpfreaks.com/topic/172004-please-post-anything-security-preventation-related-here-i-need-this-help/#findComment-906982 Share on other sites More sharing options...
ignace Posted August 26, 2009 Share Posted August 26, 2009 encrypting your passwords is a very good idea, as encrypted passwords are far harder to crack than non-encrypted passwords. Only if you apply salt's (as md5 and sha1 both are proven to be decryptable) and if you perform the encryption on the client-side (altough because of the limited possibilities it's not possible to rely on this functionality) if it passes the wire your a done deal as a man-in-the-middle attack on a none secured line (http) will make it easy for a hacker to just grab the password therefor it's adviced to always use a secured line (https) on pages where sensitivity data resides or is to be modified. Most sites still have vulnerabilites (even bank websites) but those vulnerabilities are so small that no one but the best "hackers" can usually exploit them. A little note: crackers exploit them, hackers just find them. Hacking is a proffesion and thus a 'legal activity' (note the quotes). Quote Link to comment https://forums.phpfreaks.com/topic/172004-please-post-anything-security-preventation-related-here-i-need-this-help/#findComment-906984 Share on other sites More sharing options...
mikesta707 Posted August 26, 2009 Share Posted August 26, 2009 encrypting your passwords is a very good idea, as encrypted passwords are far harder to crack than non-encrypted passwords. Only if you apply salt's (as md5 and sha1 both are proven to be decryptable) or if you perform the encryption on the client-side if it passes the wire your a done deal as a man-in-the-middle attack on a none encrypted line (http) will make it easy for a hacker to just grab the password. ahh yes truth, but someone already mentioned salts so I assumed he already assumed to use salts. crackers hackers tomatoe potatoe, I'm not one for techniqualities Quote Link to comment https://forums.phpfreaks.com/topic/172004-please-post-anything-security-preventation-related-here-i-need-this-help/#findComment-906990 Share on other sites More sharing options...
jamesxg1 Posted August 26, 2009 Author Share Posted August 26, 2009 Hiya peeps. Heres all 5 'include' files i use would someone have a look at them and see if there are any issues with security for me please ?, Many thanks, James. Quote Link to comment https://forums.phpfreaks.com/topic/172004-please-post-anything-security-preventation-related-here-i-need-this-help/#findComment-907018 Share on other sites More sharing options...
mikesta707 Posted August 26, 2009 Share Posted August 26, 2009 jeez 5 of them? but... I don't see them anywhere... where are they? Quote Link to comment https://forums.phpfreaks.com/topic/172004-please-post-anything-security-preventation-related-here-i-need-this-help/#findComment-907022 Share on other sites More sharing options...
jamesxg1 Posted August 26, 2009 Author Share Posted August 26, 2009 Sorry i forgot to upload them. James. [attachment deleted by admin] Quote Link to comment https://forums.phpfreaks.com/topic/172004-please-post-anything-security-preventation-related-here-i-need-this-help/#findComment-907025 Share on other sites More sharing options...
jamesxg1 Posted August 26, 2009 Author Share Posted August 26, 2009 Anyone seen any i should be changing =/ ? Many thanks, James. Quote Link to comment https://forums.phpfreaks.com/topic/172004-please-post-anything-security-preventation-related-here-i-need-this-help/#findComment-907075 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.