Beginner security questions

[steelerman99]

Hello,

 

I've just recently learned php and have coded a website with a bunch of php and a mysql database (although i haven't put it online- just have been coding it on my hard drive and testing it with WAMP).

 

Now, when the time comes and i go to put my site on the net using a commercial host (bluehost or godaddy or something similar), what measures should i take to make sure my site doesn't get hacked?  I have a bunch of important data that i can't have tampered with (an online schedule with web interface updates).

 

Is all the security i need provided by the commercial hosts, or do i have to take some steps myself?

 

Can anyone point me to a tutorial or something to help get me started?  I read something on php.net, but i'm looking for more of a "hold your hand and walk you through it" kind of tutorial.  haha

 

 

But any help is appreciated.  Thanks!!

[roopurt18]

You can prevent 90% of all security problems if you distrust your users.  That is to say filter everything you accept from them and be wary of any user input you later redisplay to the same (or other) users.

 

You can read the PHP manual entries and the following user posts for the following functions to gain a head start:

mysql_real_escape_string

addslashes

stripslashes

striptags

htmlentities

 

Also, follow common sense rules.  i.e. if you allow users to upload files and later delete them, make sure that when a user requests to delete the file that they are in fact the one who uploaded it!

 

Stuff like that!

 

I'd say more but laziness is getting the best of me.

[ToonMariner]

I will add to that that you should set up 2 account for your mysql database - give one all the permissions you require for admin (insert/edit/delete etc.) and the other give the minmum amount of access to do the job - use this account for accessing the database from public site.

[calabiyau]

and look into what mode of php your host is running.  if it is a module, if safe mode is enabled, cgi, etc...all these things make a difference with security from others hosted on the server with you.  if things aren't set up right, they can browse your files, including your database credentials.  google "php security shared hosting" to learn more about it all.