how to know it is hacker safe

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
Brakanjan
Forum Newbie
Posts: 19
Joined: Wed May 14, 2003 9:57 am
Location: South Africa

how to know it is hacker safe

Post by Brakanjan »

hi

I wrote a php webinterface in which I validate the user, and send data to and from a database and make use of sessions and hashing. I'm very new to php so it all was with help of forums and sample code. Now I've been approced by another company who would like to buy the code for a similar implementation they have.

My question is: how can I know my code is hacker safe. Are there some sort of certificate that you can get, or how can I otherwise know that my data is secure?

tx
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

truthfully, i don't think there is any sort of certification. they will just have to take your word for it.

but if you want to see based on the responses from other developers, the best way to see if it really is hacker safe is to post the code. at least the portions you are uncertain about. delete sensative informatoin such as actual username/password/hostnames from it as you would then just be opening yourself up.

if you are worried about posting your script here because you are afraid they coudl use something in it to gain access to your site, well u probably aren't that secure to begin with. but if you are worried about someone stealing your code, i think there are license polocies and all kinds of other stuff that prevents them from doing so and abeing able to sale it without your concient. may want to check with someone else on that though.

all in all though, no one is really hacker safe. if a hacker wants to gain access to your site, he/she will. the best thing you can do is try to make your code as secure as possible, and make the hacker's point of entry be through the server's vulnerabilities, not your scripts'.
User avatar
devork
Forum Contributor
Posts: 213
Joined: Fri Aug 08, 2003 6:44 am
Location: p(h) developer's network

Post by devork »

you can also judge your code security by studying other php open source projects.
Brakanjan
Forum Newbie
Posts: 19
Joined: Wed May 14, 2003 9:57 am
Location: South Africa

Post by Brakanjan »

hi

i'd love to post my code here, though i think it is a little too much and few people would take the effort to go through it. i'm not too worried about copyright, it's all pretty standard stuff and few people would have use for it anyway.

are there some tips somewhere that contain do's and do not's about writing webbased script, i'm sure i've made a few basic mistakes just by not knowing the correct way...
User avatar
cybaf
Forum Commoner
Posts: 89
Joined: Tue Oct 01, 2002 5:28 am
Location: Gothenburg Sweden

Post by cybaf »

you could take a look at this : http://pdos.lcs.mit.edu/cookies/pubs/webauth:tr.pdf for Do's and Don'ts in Web application programming
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

why dont you just post a link to the application and we'll do our best to try and break it :)
I got some free time today. hehe
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

I don't think you should be considering paid work installing sites with secure login systems: if you have to ask, you're not ready. If it all goes wrong it could be very bad for your professional reputation, not to mention whatever harm might be done to the company concerned.

In saying that, I don't want to discourage you from learning about it. You'll get a lot of help on this forum and I'd post a few security tutorial links myself but I'm away from home and don't have my bookmarks - leave a pm for me if you want some more info when I get back.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

I think it would be nice if you post them as sticky thread since one always have to have a security in mind developing web apps.
microthick
Forum Regular
Posts: 543
Joined: Wed Sep 24, 2003 2:15 pm
Location: Vancouver, BC

Post by microthick »

cybaf wrote:you could take a look at this : http://pdos.lcs.mit.edu/cookies/pubs/webauth:tr.pdf for Do's and Don'ts in Web application programming
What a great article.

Bookmarked and printed.
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

wow that is a great article...
Eric on here helped me use this exact method for my cookies on my ecom site. Glad to hear he knows what he's talkin about :)
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Weirdan wrote:I think it would be nice if you post them as sticky thread since one always have to have a security in mind developing web apps.
That's a good idea. I'll try and organise something when I get back home.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

I usually look at my code in an open source-attacker sort of way. I imagine someone released this peice of software to the world, and I was hired by the company to try my hardest at breaking into the script or doing something malicious and wrong.

I believe some software companies do this also. Not in the sence that the programmers themselves try to hack their own code, but hire others to sniff through bugs. Sometimes people pick up on things you don't and vice versa. ;)

Anyway, after trying to break into the system anyway you know how, and failing, I think it should be proff enough your script is secure. =)
microthick
Forum Regular
Posts: 543
Joined: Wed Sep 24, 2003 2:15 pm
Location: Vancouver, BC

Post by microthick »

Here's another good whitepaper showing how adversaries may use SQL injection to hack your site.

I'm using this to test my own apps now.

http://www.appsecinc.com/presentations/ ... ection.pdf
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

ya know what would be nice is have a place people can post their applications then people on here would have a list of some attacks to try and we can help each other by making all our code more secure.

just a thought
User avatar
cybaf
Forum Commoner
Posts: 89
Joined: Tue Oct 01, 2002 5:28 am
Location: Gothenburg Sweden

Post by cybaf »

love the last idea. security of webapplications is VERY important. lets help eachother make them more safe... "Help me help you..." :)
Post Reply