what measures to protect website?

[sid0972]

as the title suggests, what steps do i need to take to give a website a reasonable amount of security?

 

i know about mysql_real_escape_string and have googled a bit regarding this topic.

 

what else do i need to do??

[shlumph]

Use parameters in your DB queries, escape/sanitize dynamic HTML output, have a good ACL in place if applicable, store passwords properly if applicable, the list goes on and on but is also dependent on what your website/application does.

[shlumph]

Also, make sure- errors are turned off in production, register globals are always turned off.

[sid0972]

thanks for the reply but both answers are above my head

link or a detailed explanation would be appreciated

Edited February 8, 2013 by sid0972

[davidannis]

When you accept input from a user that you will redisplay on the website you need to make sure that they can not put in something like

<script> my malicious code </script>

because if you display that to another user it could compromise their computer or your website. Use php's htmlspecialchars or htmlentities to avoid that problem.

 

To store passwords securely, salt (add some characters to the begining and end, preferably something you can easily figure out to add but a hacker with just a password list wouldn't) and then encode like this

function hash_my_pass ($pass, $date_account_created) {
   $salt1 = 'SEcret2@';
   $salt2 = 'Phrase';
 return hash('sha512', $salt1.$pass.$salt2.$date_account_created);   
}

[sid0972]

i havent salted the passwords but have used sha1

will salt them, that i had in mind

what i was asking for was what,apart from mysql real escape string, should i use>??

 

stripslashes, pregs

what am i missing?

apart from cross scripting and os injection and other big types of attacks

[Christian F.]

For password hashing/login security: Recommend the following article, and attached video:

http://www.openwall.com/articles/PHP-Users-Passwords

 

 

For SQL queries: Use prepared statements if possible, if not use real_escape_string () (for string data) or type casting (for numerical data) whenever you add the data to the query. Not a moment before, as you do not want to store the escaped values anywhere else. Unless you're going to specifically use them in another query, and even then never overwrite the original data.

 

For HTML output: Use htmlspecialchars () as mentioned above, for all output you don't have 100% control over.

 

For all other output to external systems (anything not PHP): Use the proper methods for that system.

 

Then we haven't even mentioned input validation, which is on a case-by-case basis depending upon the exact input you're expecting. What kind of data you expect, the format, and stuff like that. No quick and easy rule for this.

Names validate differently than phone numbers, which validate differently from e-mails, and so forth.

 

Generally, I strongly recommend buying the book Innocent code and reading it a couple of times. It contains a lot of useful information, most of which will probably shock/surprise you. It's well written, easy to understand, an is universally applicable (not tied to a single language).

Edited February 8, 2013 by Christian F.

[sid0972]

thats more like it

thanks for this answer

[davidannis]

If you have magic quotes gpc set on your server (inot that I recommend it) you could have things double escaped if you then use mysqli_real_escape_string so you can use stripslashes in a conditional like this:

if (get_magic_quotes_gpc()) {
	    $mystrippedvar =  stripslashes($user_inout_var);
    }

before you do the mysqli_real_escape_string