I can not find good tutorials on web, so I want to ask, what do I have to do to make my php web site more secure: what basic and advanced things do I have to do to prevent crackings of my web site! I think it is really important, so I would like to hear as much information about that as it is possible, so please write everyone who knows anything. I am not poor php programmer, but now I want to know about security. Thanks!
2007-08-04 20:11:55 · 5 answers · asked by kolibrizas 3 in Computers & Internet ➔ Programming & Design
Here is some things to consider when making a site that needs to be secured.
SQL Injection-
In this attack, a user is able to execute SQL queries in your website's database. This attack is usually performed by entering text into a form field which causes a subsequent SQL query, generated from the PHP form processing code, to execute part of the content of the form field as though it were SQL. The effects of this attack range from the harmless (simply using SELECT to pull another data set) to the devastating (DELETE, for instance). In more subtle attacks, data could be changed, or new data added.
Directory Traversal-
This attack can occur anywhere user-supplied data (from a form field or uploaded filename, for example) is used in a filesystem operation. If a user specifies “../../../../../../etc/passwd” as form data, and your script appends that to a directory name to obtain user-specific files, this string could lead to the inclusion of the password file contents, instead of the intended file. More severe cases involve file operations such as moving and deleting, which allow an attacker to make arbitrary changes to your filesystem structure.
Authentication Issues-
Authentication issues involve users gaining access to something they shouldn't, but to which other users should. An example would be a user who was able to steal (or construct) a cookie allowing them to login to your site under an Administrator session, and therefore be able to change anything they liked.
Remote Scripts (XSS)-
XSS, or Cross-Site Scripting (also sometimes referred to as CSS, but this can be confused with Cascading Style Sheets, something entirely different!) is the process of exploiting a security hole in one site to run arbitrary code on that site's server. The code is usually included into a running PHP script from a remote location. This is a serious attack which could allow any code the attacker chooses to be run on the vulnerable server, with all of the permissions of the user hosting the script, including database and filesystem access
Here is a site that is dedicated to find vulnerabilities in websites by testing their security. After they find a vulnerability they report the security flaws to you. http://www.acunetix.com/websitesecurity/
If you are running your site on a apahce web server then you can use the .htaccess file. I would do a search for tutorials on this.
Also check here for some tutorials. I'm not sure if they have tutorials for security but they have alot of tutorials.
http://tutorialized.com
http://pixel2life.com
http://freetextbooks.com
Here is a site you can find tutorials on security issueshttp://alstalavista.com if that is spelled right... Sorry...
http://alistapart.com - Nothing to do with security just a cool site I think every webmaster should know about.
2007-08-04 21:06:30 · answer #1 · answered by jack 6 · 0⤊ 0⤋
2
2016-08-27 00:46:32 · answer #2 · answered by Jenna 3 · 0⤊ 0⤋
In my opinion security issues are constantly coming up, so you have to keep up to date with them through articles.
As far as securing your php pages goes, someone would have to hack your web server, which is not very likely, unless you are hosting the web server.
If you are using a database, this is where some issues come in to play because people can use sql injections to find your admin and steal your username and passwore ( happens a lot with php nuke ).
But this usually happens because everyone knows the layout of these cms programs. If you are using your own, I wouldn't worry much.
If you're using a mysql db and it's read only, make sure the user, that you connect with, has read only privileges.
Also I dealing with sessions, I have read that if the hosting server stores them in the /tmp dir a user sharing the server can sniff the dir and steal the session ids, which can give them access to your site. I believe they have to have ssh login ability though, which most don't anymore for shared hosting.
Hope that helps
Ron G
2007-08-04 21:06:06 · answer #3 · answered by Ron Guilmet 2 · 0⤊ 0⤋
The security of the site is controlled more from the serve firewall and files permission settings. You can make best use of this by keeping to standard directory access configuration, you have any control on this, most hosting companies do not allow changes. Also the use of .htaccess files can give more restrictions on how people access your pages. Generally on a good hosting machine you need do nothing.
2007-08-04 21:41:14 · answer #4 · answered by Anonymous · 0⤊ 0⤋
I think it is impossible
You can eliminate copy function but it can be cracked easily.
You can change font color to white but after copying one can change the color to black to see everything.
If I want to get a page from your site, I can use printscreen.
Or I can send it to a printer or pdf
google will cache your pages.
I can see them from google
So there is no exact security for a website.
2007-08-04 20:39:17 · answer #5 · answered by iyiogrenci 6 · 0⤊ 0⤋