|
|
|
|
Thread title: How do you secure your website? |
|
|
|
|
|
Thread tools
Search this thread
Display Modes
|
|
11-17-2007, 01:57 PM
|
#1
|
Status: Junior Member
Join date: Aug 2006
Location:
Expertise:
Software:
Posts: 58
|
How do you secure your website?
I'm creating a user system for my new site, it will have a shop and such, but I was wondering how could i prevent hacking the website in every way. Preventing sql injection and more
|
|
11-17-2007, 02:04 PM
|
#2
|
Status: Request a custom title
Join date: Dec 2005
Location:
Expertise:
Software:
Posts: 2,741
|
|
|
11-17-2007, 03:11 PM
|
#3
|
Status: Geek
Join date: Apr 2006
Location: Denver, CO
Expertise: Software
Software: Chrome, Notepad++
Posts: 6,894
|
Wildhoney (the guy who made the threads haris pointed you to) and I are some of the best PHP programmers on the forum, however our coding styles are miles apart. Here are the methods I use, I find them simpler. Both methods work, use whichever you like best.
use
SELECT * FROM `table_name` WHERE `field` = '1'
opposed to
SELECT * FORM table_name WHERE field = '1'
That way all you have to do is clean the query, otherwise harmless commands that the sptintf method takes out will be escaped and harmless. I find it simpler, although both work.
To clean SQL, run all GET, POST and cookie data though this function
PHP Code:
function sql_safe($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); }
// Quote if not integer if (!is_numeric($value) || $value[0] == '0') { $value = mysql_real_escape_string($value); } return $value; }
For passwords, use sha1, one way encryption can never be hacked (but sha1("a"); will always render the same result).
I have a example on my portfolio that has a user system on it, http://justanotherportfolio.com/example.php
|
|
11-17-2007, 04:04 PM
|
#4
|
Status: Request a custom title
Join date: Dec 2005
Location: Arizona
Expertise:
Software:
Posts: 5,200
|
Village Idiot, I maybe wrong, but I heard somewhere that md5 was 'uncrackable' as well, but it just has a bunch of large databases of md5 hashes that also store the original value.
Also, for passwords in a database, I would recommend using salts. You can read up on static and dynamic salts here:
http://www.talkphp.com/showthread.php?t=1162
and here:
http://www.talkphp.com/showthread.php?t=1188
Sorry, I didn't realize that Haris posted the salt links aswell, thought he posted something different.
|
|
11-17-2007, 04:05 PM
|
#5
|
Status: Request a custom title
Join date: Feb 2005
Location:
Expertise:
Software:
Posts: 1,078
|
Originally Posted by Village Idiot
Wildhoney (the guy who made the threads haris pointed you to) and I are some of the best PHP programmers on the forum, however our coding styles are miles apart.
|
You really need to quit claiming that you two are the best. Ironically enough, I've found one of the most simplistic bugs in your login script. If you truly are one of the best around here surely you would know what error checking is?
|
|
11-17-2007, 04:06 PM
|
#6
|
Status: Request a custom title
Join date: Dec 2005
Location: Arizona
Expertise:
Software:
Posts: 5,200
|
Originally Posted by CreativeLogic
You really need to quit claiming that you two are the best. Ironically enough, I've found one of the most simplistic bugs in your login script. If you truly are one of the best around here surely you would know what error checking is?
|
I'd agree. Even though I know he is rather good, better than most, he doesn't need to say it every chance he gets. Also, he forgot about Salathe.
|
|
11-17-2007, 04:12 PM
|
#7
|
Status: Member
Join date: Jan 2007
Location: England
Expertise:
Software:
Posts: 229
|
Originally Posted by Village Idiot
Wildhoney (the guy who made the threads haris pointed you to) and I are some of the best PHP programmers on the forum, however our coding styles are miles apart. Here are the methods I use, I find them simpler. Both methods work, use whichever you like best.
|
Idiot, "some of the best coders on this forum" would not have crappy code like this:
http://justanotherportfolio.com/example/login.php
|
|
11-17-2007, 04:21 PM
|
#8
|
Status: Geek
Join date: Apr 2006
Location: Denver, CO
Expertise: Software
Software: Chrome, Notepad++
Posts: 6,894
|
Originally Posted by Andrew R
Village Idiot, I maybe wrong, but I heard somewhere that md5 was 'uncrackable' as well, but it just has a bunch of large databases of md5 hashes that also store the original value.
|
Two way encryption is always crackable for the original value, even if its a matter of brute forcing the salt. sha1 is one way, it uses a destructive algorithm. It has been rumored that a group of Chinese hackers have reverse engineered it, even if they have it would leave an unlimited number of possibilities.
Originally Posted by Joshimitsu
|
Someone registered with blank information, I dont check for that in this script because it is a free example. Its not a security error or crappy code. The only person who has a security issue is the person who made the account.
Creative, what was that bug? If you are reffering to the default values on the imagewasp script, I will repeat myself. I didnt write that part of the code, seb put the default values in as that. I left it blank. If there is a bug that you know but haven't told me, please do tell me so I can fix it. If there is a bug in some code I made, congrats, you proved me human. Ive written plenty of thousands of lines of code, I would put allot of money on there being bugs in some parts. Everyone codes with bugs, no matter how experienced the coder or how simple the bug. Anyone who claims to not code with bugs is liar, an arrogant one at that.
|
|
11-17-2007, 04:48 PM
|
#9
|
Status: Community Archaeologist
Join date: Jul 2004
Location: Scotland
Expertise: Software Development
Software: vim, PHP
Posts: 3,820
|
Originally Posted by Village Idiot
Two way encryption is always crackable for the original value, even if its a matter of brute forcing the salt. sha1 is one way, it uses a destructive algorithm. It has been rumored that a group of Chinese hackers have reverse engineered it, even if they have it would leave an unlimited number of possibilities.
|
MD5 is one-way and just like SHA-1 it uses a destructive algorithm. I fail to see why you chose to comment on two way encryption seeing as it has yet to be mentioned in the topic.
To answer the original poster's query, or at least give my opinion on the matter, it is nigh on impossible to prevent hacking the website in every way. There are lots of things that you can do, and many things which you should do as a matter of course, but you'll likely never create a completely secure website.
Idiot is a fairly competent PHP coder, how about less attacks in favour of more discussion on what he says? Every programmer has a reason why they take a particular approach, surely it's cooler to explore those than simple shooting the programmer down with criticism?
Finally, as an end note, please don't just take what you read as gospel -- especially when it comes to specific cases or code samples. It's better to understand why and how things are being done (in terms of the potential 'attacks' and preventative methods) before trying to implement the protection itself.
|
|
11-17-2007, 04:52 PM
|
#10
|
Status: Geek
Join date: Apr 2006
Location: Denver, CO
Expertise: Software
Software: Chrome, Notepad++
Posts: 6,894
|
Originally Posted by Salathe
MD5 is one-way and just like SHA-1 it uses a destructive algorithm. I fail to see why you chose to comment on two way encryption seeing as it has yet to be mentioned in the topic.
|
I must have some function names mixed up then.
I may have said this before, but I take the fact that nothing is ever absolutely positively bulletproof secure as given when I say completely secure.
|
|
|
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
|
|