zohab Posted September 15, 2009 Share Posted September 15, 2009 Hi, I have developed a plain php website and it is running good. My one joomla site was hacked and i am afraid of my plain php site. I would like to know what security mechanism should i implement to prevent site from hackers. Quote Link to comment https://forums.phpfreaks.com/topic/174280-prevent-site-from-hackers/ Share on other sites More sharing options...
backie Posted September 15, 2009 Share Posted September 15, 2009 Basically there is not simple howto to stop your site from getting hacked. Tho not running a general web app is a good start since most of the hackers that attack php sites do it using google to find vulnerable version. Simple list of things to stop php attacks. Avoid putting variables in include/require statesments. Stops Remote and Local File Inclusions. Don't put unsantized data into SQL statements. Check any comment/user input systems don't allow users to inject php or html into your site. Converting "<" to > is an easy way to do it. etc Once your PHP is secure then you only need to worry about server applications like apache,ftp,ssh,bind,etc. There is a reason people get paid alot to do computer security. Quote Link to comment https://forums.phpfreaks.com/topic/174280-prevent-site-from-hackers/#findComment-918703 Share on other sites More sharing options...
RussellReal Posted September 15, 2009 Share Posted September 15, 2009 the things about web development.. its NEVER 100% safe or secure.. or any kind of programming, you can always do your absolute best for the current threats, but eventually people find new ways in or whatever, with joomla and OTHER opensource applications, you basically are giving away tons of key details to your site.. for example, if you have joomla and so do I. I know all your table names and fields to select.. what tables to drop which would mean alot to you.. etc.. I could comb through my joomla and read every query and find out which query isn't being escaped correctly and then find your page that leads to that query and whatever, you know what I'm saying? all you need to do.. store sensitive files away from your public directory so no user can get to it by simply browsing to it.. and then PUSH the data out with php.. secure all incoming data.. $_POST $_GET if its supposed to be an int.. just type cast it to int.. if string.. use mysql_real_escape_string never do something like this: <?php include($_GET['file']); ?> do something more like <?php include('includes/'.$_GET['file']); ?> that way it could not possibly be evaluated as a external file since php will have ...../includes/http://whatever.com/jhgaa.php and you will most likely get an error instead of XSS never trust users on your site everything that comes from them process it until you're content.. use cookies for storing session ids and sessions for storing pass hashes usernames id numbers etc so that you keep all user specific or classified information on the server not in a cookie on the user's computer Quote Link to comment https://forums.phpfreaks.com/topic/174280-prevent-site-from-hackers/#findComment-918705 Share on other sites More sharing options...
backie Posted September 15, 2009 Share Posted September 15, 2009 never do something like this: <?php include($_GET['file']); ?> do something more like <?php include('includes/'.$_GET['file']); ?> 1st example is vulnerable code to an RFI attack. As pointed out tho he got confused with XSS and RFI. 2nd example is vulnerable code to an LFI attack. $_GET['file'] can contain "../../../../../../../etc/password" and the file may well open and be displayed. Quote Link to comment https://forums.phpfreaks.com/topic/174280-prevent-site-from-hackers/#findComment-918709 Share on other sites More sharing options...
RussellReal Posted September 15, 2009 Share Posted September 15, 2009 XSS is remote file inclusion.. and local file inclusion, how will the user KNOW what to include? but either way you probably should do something like <?php switch ($_GET['file']) { case '': $file = 'whatever'; break; ... etc } include('include/$file'); ?> like most people do either way, but I don't see a point in protecting against 'LFI' if you're coding it yourself Quote Link to comment https://forums.phpfreaks.com/topic/174280-prevent-site-from-hackers/#findComment-918720 Share on other sites More sharing options...
backie Posted September 15, 2009 Share Posted September 15, 2009 Reason to avoid LFI even if you are coding it yourself is because there are people who go firing in all sorts of data in to post and get variables to see if they can get data. Thats how stuff gets hacked. Also seems you need to read http://en.wikipedia.org/wiki/Cross-site_scripting Quote Link to comment https://forums.phpfreaks.com/topic/174280-prevent-site-from-hackers/#findComment-918726 Share on other sites More sharing options...
RussellReal Posted September 15, 2009 Share Posted September 15, 2009 wow, I had it confused, someone told me thats what XSS was so I just called it XSS since then lol, but still, 'firing' all sorts of data is still a really long shot, if a shot at all, but most coders work around it either way, but obviously its a security risk, so, good catch backie Quote Link to comment https://forums.phpfreaks.com/topic/174280-prevent-site-from-hackers/#findComment-918730 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.