Jump to content

How to have best possible protection for your website?

sayedsohail

By sayedsohail
in PHP Coding Help

 Share

Recommended Posts

sayedsohail Advanced Member

sayedsohail

Posted
Posted

Hi everyone,

 

Its been again and again about security, but please can some explain the basic methods to protect your webpages.

 

My site has got a login page and i am using md5 to protect passwords, next i started using session to store the login information and checked to see the visitors are logged in properly on the following pages.

 

Apart from that i don't know anything, i would be greatfull if some explain in simple words about some additional security measures to be taken to have the best possible protection for your webpages.

 

Thanks for reading.

 

MadTechie Regular Member

MadTechie

Posted
Posted

take the server your site is stored on and disconnect all cables and burn it.. thats about the only 100% way.. but can cause access problems.. so

 

Filter ALL user input. (check for SQL Injection, XSS cross site scripting)

 

the most common hole are once the user is logged in and theirs a little area with you missed on filtering ie shout box, searching, etc without knowing more detail its kinda hard to say..

saf Newbie

saf

Posted
Posted

I agree with the first reply. Once you put something on the web, you have already reduced its security significantly. But since if it is necessary to put something out on the web the best way to do it is use as much security as possible.

 

Here are some of the security "tricks" that I know of:

 

1. Filter all input AND output

2. Salt your passwords (create a string that is attached to the password before converting it to MD5)

3. If you have apache, use ModRewrite for cleaner URLs (if used right this will confuse visitors as to what language you are using and where everything is located)

4. Again if you have apache, block access to the file that stores all your passwords (like database passwords)

5. Try storing all passwords in a .ini file (php has functions to read .ini files)

6. If you have access to the php.ini file, make sure Register_Globals are turned off

7. If register globals cannot be turned off, try to store all your REQUIRED $_GET and $_POST variables to a new array and unset get and post

8. Add the code below to the begining of every file that cannot be accessed directly through the URL (add to files that can only be included or required)

<?php

if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME']))
exit('You cannot access this file directly');

//Rest of your code

?>

 

If I remember or come across any new security measures, i'll post them

taith Regular Member

taith

Posted
Posted

i disagree with #2... md5() and sha1() are not secure... you can take the value, drop it into google search and you got a 80% chance of getting the answer out... if its a standard word... personally... i created my own 3base encrypter... so your sha1() md5() and a few other encryptions throwing the same value into itself, a dozen different ways :D thats just me tho :D

saf Newbie

saf

Posted
Posted

i disagree with #2... md5() and sha1() are not secure... you can take the value, drop it into google search and you got a 80% chance of getting the answer out... if its a standard word... personally... i created my own 3base encrypter... so your sha1() md5() and a few other encryptions throwing the same value into itself, a dozen different ways :D thats just me tho :D

 

Hmm...interesting observation. I think you are right, I guess i'll have to switch to mcrypt and use triple des or something

redarrow Advanced Member

redarrow

Posted
Posted

use md5 and salt but at the same time provide the user with a 6 digit code.

 

the user enter there username, password and a 6 digit code what was sent to them via email

the six digit code would be asked for with 3 drop down boxs from 0-9 ask the user to select there six digit code

randomly.

 

the six digit code would be made radamoly and md5 / salted

 

example

 

user name

 

password md5 salt as shown above

 

3 drop down boxs

 

select your number 5

select your number 2

select your number 6

 

if all match let them in.

 

 

in essance a hacker will get in no matter what you do but it an idear ok.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.