Jump to content

Please post anything security preventation related here i need this help.


Recommended Posts

Hiya peeps,

 

I dont know if this is allowed (If not mods please remove or move this thread),

 

But i need some help,

 

Basically i have nearly finished my project and i need to know some security tips i have read alot of tutorials and to be honest none of them are any good,

 

Heres what i do already for instance if im using mysql i use,

 


mysql_real_escape_string(trim(addslashes(strip_tags($varhere))));

 

Ect ect,

 

What else is there security wise i should know basic or advanced :),

 

I want to make my site something like eBay for instance pretty much un-impenetrable lol,

 

How would i do something like this ?,

 

Many thanks,

 

James.

 

some basic stuff...

 

if you have any incoming data from inputs, make it safe by using htmlspecialchars

$name = htmlspecialchars("$_POST['name']", ENT_QUOTES);

 

 

if you have members system, use salt to encode there password:

http://us.php.net/manual/en/function.crypt.php

 

thats what i can offer you

some basic stuff...

 

if you have any incoming data from inputs, make it safe by using htmlspecialchars

$name = htmlspecialchars("$_POST['name']", ENT_QUOTES);

 

 

if you have members system, use salt to encode there password:

http://us.php.net/manual/en/function.crypt.php

 

thats what i can offer you

 

It would help if you would provide when he should use and why

I'm pretty sure htmlentities is the same as specialchars, but does more, so I would use htmlentities instead.

 

basically htmlentities will take the input string, and turn any html that the user has put there into html entities (so instead of the html executing on the page, it will just show up on the page.) Basically the reason if I write <a href="whatever">taco</a> instead of seeing a link named taco, you see the HTML itself. This is a must if you have any sort of user input system (IE forums, comments, etc.)

 

encrypting your passwords is a very good idea, as encrypted passwords are far harder to crack than non-encrypted passwords.

 

Making your site "impenetrable" will be difficult because website security goes well beyond just PHP, but with these tips you can make your site pretty much safe from most SQL injection hackers. Most sites still have vulnerabilites (even bank websites) but those vulnerabilities are so small that no one but the best "hackers" can usually exploit them.

 

As long as you always sanitize whatever the user gives you, you should generally be fine

The single most important rule is to validate your input use the knowledge you posses about an object and apply it. How long should it be, may it be? What may it contain and what not (are there exceptions) and does it contain anything at all? By using these kind of questions and applying the answers will keep you from doing overtime.

some basic stuff...

 

if you have any incoming data from inputs, make it safe by using htmlspecialchars

$name = htmlspecialchars("$_POST['name']", ENT_QUOTES);

 

 

 

if you have members system, use salt to encode there password:

http://us.php.net/manual/en/function.crypt.php

 

thats what i can offer you

 

Hiya mate,

 

Is this for HTML inputs ?,

 

Many thanks,

 

James.

I'm pretty sure htmlentities is the same as specialchars, but does more, so I would use htmlentities instead.

 

basically htmlentities will take the input string, and turn any html that the user has put there into html entities (so instead of the html executing on the page, it will just show up on the page.) Basically the reason if I write <a href="whatever">taco</a> instead of seeing a link named taco, you see the HTML itself. This is a must if you have any sort of user input system (IE forums, comments, etc.)

 

encrypting your passwords is a very good idea, as encrypted passwords are far harder to crack than non-encrypted passwords.

 

Making your site "impenetrable" will be difficult because website security goes well beyond just PHP, but with these tips you can make your site pretty much safe from most SQL injection hackers. Most sites still have vulnerabilites (even bank websites) but those vulnerabilities are so small that no one but the best "hackers" can usually exploit them.

 

As long as you always sanitize whatever the user gives you, you should generally be fine

 

Hiya mate,

 

I generally try to crunch down on what the user is inputting and what is outputted but i am not quite good with security i will post one of im 'included' files i have made could someone point out any security issues/warnings/hazards for me please.

 

Many thanks,

 

James.

encrypting your passwords is a very good idea, as encrypted passwords are far harder to crack than non-encrypted passwords.

 

Only if you apply salt's (as md5 and sha1 both are proven to be decryptable) and if you perform the encryption on the client-side (altough because of the limited possibilities it's not possible to rely on this functionality) if it passes the wire your a done deal as a man-in-the-middle attack on a none secured line (http) will make it easy for a hacker to just grab the password therefor it's adviced to always use a secured line (https) on pages where sensitivity data resides or is to be modified.

 

Most sites still have vulnerabilites (even bank websites) but those vulnerabilities are so small that no one but the best "hackers" can usually exploit them.

 

A little note: crackers exploit them, hackers just find them. Hacking is a proffesion and thus a 'legal activity' (note the quotes).

encrypting your passwords is a very good idea, as encrypted passwords are far harder to crack than non-encrypted passwords.

 

Only if you apply salt's (as md5 and sha1 both are proven to be decryptable) or if you perform the encryption on the client-side if it passes the wire your a done deal as a man-in-the-middle attack on a none encrypted line (http) will make it easy for a hacker to just grab the password.

 

 

ahh yes truth, but someone already mentioned salts so I assumed he already assumed to use salts.

 

 

crackers hackers tomatoe potatoe, I'm not one for techniqualities :P

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.