Jump to content

Please post anything security preventation related here i need this help.

jamesxg1

By jamesxg1
in PHP Coding Help

 Share

Recommended Posts

jamesxg1 Advanced Member

jamesxg1

Posted
Posted

Hiya peeps,

 

I dont know if this is allowed (If not mods please remove or move this thread),

 

But i need some help,

 

Basically i have nearly finished my project and i need to know some security tips i have read alot of tutorials and to be honest none of them are any good,

 

Heres what i do already for instance if im using mysql i use,

 


mysql_real_escape_string(trim(addslashes(strip_tags($varhere))));

 

Ect ect,

 

What else is there security wise i should know basic or advanced :),

 

I want to make my site something like eBay for instance pretty much un-impenetrable lol,

 

How would i do something like this ?,

 

Many thanks,

 

James.

 

Link to comment
Share on other sites
ignace Advanced Member

ignace

Posted
Posted

some basic stuff...

 

if you have any incoming data from inputs, make it safe by using htmlspecialchars

$name = htmlspecialchars("$_POST['name']", ENT_QUOTES);

 

 

if you have members system, use salt to encode there password:

http://us.php.net/manual/en/function.crypt.php

 

thats what i can offer you

 

It would help if you would provide when he should use and why

Link to comment
Share on other sites
mikesta707 Member

mikesta707

Posted
Posted

I'm pretty sure htmlentities is the same as specialchars, but does more, so I would use htmlentities instead.

 

basically htmlentities will take the input string, and turn any html that the user has put there into html entities (so instead of the html executing on the page, it will just show up on the page.) Basically the reason if I write <a href="whatever">taco</a> instead of seeing a link named taco, you see the HTML itself. This is a must if you have any sort of user input system (IE forums, comments, etc.)

 

encrypting your passwords is a very good idea, as encrypted passwords are far harder to crack than non-encrypted passwords.

 

Making your site "impenetrable" will be difficult because website security goes well beyond just PHP, but with these tips you can make your site pretty much safe from most SQL injection hackers. Most sites still have vulnerabilites (even bank websites) but those vulnerabilities are so small that no one but the best "hackers" can usually exploit them.

 

As long as you always sanitize whatever the user gives you, you should generally be fine

Link to comment
Share on other sites
ignace Advanced Member

ignace

Posted
Posted

The single most important rule is to validate your input use the knowledge you posses about an object and apply it. How long should it be, may it be? What may it contain and what not (are there exceptions) and does it contain anything at all? By using these kind of questions and applying the answers will keep you from doing overtime.

Link to comment
Share on other sites
jamesxg1 Advanced Member

jamesxg1

Posted
  • Author
Posted

some basic stuff...

 

if you have any incoming data from inputs, make it safe by using htmlspecialchars

$name = htmlspecialchars("$_POST['name']", ENT_QUOTES);

 

 

 

if you have members system, use salt to encode there password:

http://us.php.net/manual/en/function.crypt.php

 

thats what i can offer you

 

Hiya mate,

 

Is this for HTML inputs ?,

 

Many thanks,

 

James.

Link to comment
Share on other sites
jamesxg1 Advanced Member

jamesxg1

Posted
  • Author
Posted

I'm pretty sure htmlentities is the same as specialchars, but does more, so I would use htmlentities instead.

 

basically htmlentities will take the input string, and turn any html that the user has put there into html entities (so instead of the html executing on the page, it will just show up on the page.) Basically the reason if I write <a href="whatever">taco</a> instead of seeing a link named taco, you see the HTML itself. This is a must if you have any sort of user input system (IE forums, comments, etc.)

 

encrypting your passwords is a very good idea, as encrypted passwords are far harder to crack than non-encrypted passwords.

 

Making your site "impenetrable" will be difficult because website security goes well beyond just PHP, but with these tips you can make your site pretty much safe from most SQL injection hackers. Most sites still have vulnerabilites (even bank websites) but those vulnerabilities are so small that no one but the best "hackers" can usually exploit them.

 

As long as you always sanitize whatever the user gives you, you should generally be fine

 

Hiya mate,

 

I generally try to crunch down on what the user is inputting and what is outputted but i am not quite good with security i will post one of im 'included' files i have made could someone point out any security issues/warnings/hazards for me please.

 

Many thanks,

 

James.

Link to comment
Share on other sites
ignace Advanced Member

ignace

Posted
Posted

encrypting your passwords is a very good idea, as encrypted passwords are far harder to crack than non-encrypted passwords.

 

Only if you apply salt's (as md5 and sha1 both are proven to be decryptable) and if you perform the encryption on the client-side (altough because of the limited possibilities it's not possible to rely on this functionality) if it passes the wire your a done deal as a man-in-the-middle attack on a none secured line (http) will make it easy for a hacker to just grab the password therefor it's adviced to always use a secured line (https) on pages where sensitivity data resides or is to be modified.

 

Most sites still have vulnerabilites (even bank websites) but those vulnerabilities are so small that no one but the best "hackers" can usually exploit them.

 

A little note: crackers exploit them, hackers just find them. Hacking is a proffesion and thus a 'legal activity' (note the quotes).

Link to comment
Share on other sites
mikesta707 Member

mikesta707

Posted
Posted

encrypting your passwords is a very good idea, as encrypted passwords are far harder to crack than non-encrypted passwords.

 

Only if you apply salt's (as md5 and sha1 both are proven to be decryptable) or if you perform the encryption on the client-side if it passes the wire your a done deal as a man-in-the-middle attack on a none encrypted line (http) will make it easy for a hacker to just grab the password.

 

 

ahh yes truth, but someone already mentioned salts so I assumed he already assumed to use salts.

 

 

crackers hackers tomatoe potatoe, I'm not one for techniqualities :P

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.