sayedsohail Posted May 30, 2007 Share Posted May 30, 2007 Hi everyone, Its been again and again about security, but please can some explain the basic methods to protect your webpages. My site has got a login page and i am using md5 to protect passwords, next i started using session to store the login information and checked to see the visitors are logged in properly on the following pages. Apart from that i don't know anything, i would be greatfull if some explain in simple words about some additional security measures to be taken to have the best possible protection for your webpages. Thanks for reading. Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 30, 2007 Share Posted May 30, 2007 take the server your site is stored on and disconnect all cables and burn it.. thats about the only 100% way.. but can cause access problems.. so Filter ALL user input. (check for SQL Injection, XSS cross site scripting) the most common hole are once the user is logged in and theirs a little area with you missed on filtering ie shout box, searching, etc without knowing more detail its kinda hard to say.. Quote Link to comment Share on other sites More sharing options...
taith Posted May 30, 2007 Share Posted May 30, 2007 LOL! agreed... filter any/all input's... on inputs add_slashes() strip_tags() htmlentities() are your friends... Quote Link to comment Share on other sites More sharing options...
saf Posted May 30, 2007 Share Posted May 30, 2007 I agree with the first reply. Once you put something on the web, you have already reduced its security significantly. But since if it is necessary to put something out on the web the best way to do it is use as much security as possible. Here are some of the security "tricks" that I know of: 1. Filter all input AND output 2. Salt your passwords (create a string that is attached to the password before converting it to MD5) 3. If you have apache, use ModRewrite for cleaner URLs (if used right this will confuse visitors as to what language you are using and where everything is located) 4. Again if you have apache, block access to the file that stores all your passwords (like database passwords) 5. Try storing all passwords in a .ini file (php has functions to read .ini files) 6. If you have access to the php.ini file, make sure Register_Globals are turned off 7. If register globals cannot be turned off, try to store all your REQUIRED $_GET and $_POST variables to a new array and unset get and post 8. Add the code below to the begining of every file that cannot be accessed directly through the URL (add to files that can only be included or required) <?php if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) exit('You cannot access this file directly'); //Rest of your code ?> If I remember or come across any new security measures, i'll post them Quote Link to comment Share on other sites More sharing options...
taith Posted May 30, 2007 Share Posted May 30, 2007 i disagree with #2... md5() and sha1() are not secure... you can take the value, drop it into google search and you got a 80% chance of getting the answer out... if its a standard word... personally... i created my own 3base encrypter... so your sha1() md5() and a few other encryptions throwing the same value into itself, a dozen different ways thats just me tho Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 30, 2007 Share Posted May 30, 2007 i use MD5(MD5($pass).$SALT) $SALT is also stored in the users login (RANDOM) Quote Link to comment Share on other sites More sharing options...
OmarHaydoor Posted May 30, 2007 Share Posted May 30, 2007 there is a thing may me add it, you may add the function mysql_real_escape_string() at the query for username and password Quote Link to comment Share on other sites More sharing options...
saf Posted May 30, 2007 Share Posted May 30, 2007 i disagree with #2... md5() and sha1() are not secure... you can take the value, drop it into google search and you got a 80% chance of getting the answer out... if its a standard word... personally... i created my own 3base encrypter... so your sha1() md5() and a few other encryptions throwing the same value into itself, a dozen different ways thats just me tho Hmm...interesting observation. I think you are right, I guess i'll have to switch to mcrypt and use triple des or something Quote Link to comment Share on other sites More sharing options...
redarrow Posted May 30, 2007 Share Posted May 30, 2007 use md5 and salt but at the same time provide the user with a 6 digit code. the user enter there username, password and a 6 digit code what was sent to them via email the six digit code would be asked for with 3 drop down boxs from 0-9 ask the user to select there six digit code randomly. the six digit code would be made radamoly and md5 / salted example user name password md5 salt as shown above 3 drop down boxs select your number 5 select your number 2 select your number 6 if all match let them in. in essance a hacker will get in no matter what you do but it an idear ok. Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 30, 2007 Share Posted May 30, 2007 in essance a hacker will get in no matter what you do but it an idear ok. My very first idea stop MOST hackers lol Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.