Website security problems

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
liviu
Forum Newbie
Posts: 16
Joined: Fri Jul 18, 2003 6:39 pm
Location: Tulcea, Romania

Website security problems

Post by liviu »

Hello everybody,

I want to know what are the posibilities for a person to hack my site online and how do i defend myself ? I excluded the option to post html code into posts (preg_replace() etc.) :roll: If no one can tell me then where do i find documentation for this problem of mine ?

the site in discussion is http://www.bitonline.as.ro (it is in romanian so please have mercy... :cry: )
User avatar
mr_griff
Forum Commoner
Posts: 64
Joined: Tue Sep 17, 2002 11:11 am
Location: Bozeman, Montana

Post by mr_griff »

The Open Web Application Security Project (OWASP) has a good article on the "Top Ten Web Application Security Vulnerabilities". It's not directly related to php, but most of the examples apply.

You can check it out here:
http://www.owasp.org/documentation/topten
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

The top ten applied to php: http://www.sklar.com/page/article/owasp-top-ten

A Study in Scarlet: http://www.securereality.com.au/studyinscarlet.txt

And of course read through the php and mysql manuals.

Are you using a database? The basics for securing the database are:

(1) Never allow your progam to connect as the root user. Create another user with only the minimum privileges required - and perhaps others (non-root) for admin level access. Keep the db conn scripts in an .htaccess protected folder (deny from all). If you can set a <directory> directive do that instead. http://httpd.apache.org/docs-2.0/howto/htaccess.html

(2) Always properly escape strings in db queries - mysql_escape_string, or addslashes.

(3) Always quote vars in queries eg:

Code: Select all

"SELECT col1, col2 FROM table WHERE col1='$var'"
If you expect the var to be an integer, and it originates from GPC input, it might not be an integer at all. An intval($var) strips out any text. I'd recommend always quoting it as well: not strictly required after an intval() but it's another layer of protection if you slip up one day and forget to force type.

I think one of those tutorials covers error reporting - if not, the rule is turn it down as far as possible on a live site so that an attacker cannot glean any useful information. (But always develop locally with the maximum E_ALL).
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

PS: please don't double post.
liviu
Forum Newbie
Posts: 16
Joined: Fri Jul 18, 2003 6:39 pm
Location: Tulcea, Romania

Post by liviu »

OK, thanks'. If it, helps my site is hosted on a free-webhostin service (this means PHP safe_mode=on)
Post Reply