Geek Answers Handbook

How secure is my site?

As a novice web developer, I try my best to clear all user inputs using checks and what not. However, today I found out that my site was hacked (I will share my site on request), and I really wondered how they did it. I am going to get my site back together. What should I do to prevent these things? Are there any people I should talk to and ask how secure my site is? What can I do to keep my site safe? I wrote my site in PHP and MySQL.

Update: Finally restored the backups. I use $_GET["name"] in my script, and I assume that they got to my site. First of all, they were able to put the index.html / index.php file in EACH and in every folder on my server. Does anyone know how I can counter this?

Update: Actually, it was not my site that was hacked, but the owner. The SSH password was cracked and it installed a new index file in each folder.

+6
security php mysql website
source share
7 answers

This is an extremely broad question, so the answers you get are equally broad.

To check your site for security, you can perform penetration testing . There are companies that will do this for you. You can also look at Google Skipfish .

What can you do to keep your site safe? You can:

  • Sanitize and check all inputs - also cookies, they can be faked, like all others that are sent by the client.
  • Keep your OS and framework updated with the latest security fixes. If you are using CMS, be sure to check out this one.
  • Never send text sent by the user unless you first encoded his html.
  • Use parameterized SQL queries to deter SQL injection attacks.
  • In general, a security code .
+13
source share

Two great things to check: SQL injection and remote code execution .

SQL injection occurs when you take data from some unreliable source (i.e. all over the world of laughter!) And use it as an SQL query. The fix is ​​to stop using string substitution to create queries and updates and strictly adhere to parameterized queries / updates. Note that using magic citation is a much lower approach to solving this issue, since it is much easier to do it wrong; "always parameterize every query" is an easier way that is easier to check. (Yes, you really need to check all your code here. Sorry.)

Remote code execution is when you have some kind of mechanism that allows the website client to request the website to start PHP, which is not pre-loaded onto the website in a directory that the web server can execute Do not write. This is convenient, yes, but it is very dangerous, because a cunning cracker may ask the web server to download a rootkit or other vile content. We often got this with our main web server at work, so now we run it on a strictly read-only file system (with remote logging) with remote execution of PHP code (or, really, open any other connection to a non-server with white list) is strictly prohibited. This upsets the various external web design consultants who continue to be hired, but this is because they are too often not very professional in the entire business of launching a secure system, and this means that this entire class of attacks is blocked.

(Another thing you need to pay attention to is XSS , although this is not quite an attack on your site. This happens when you cannot correctly specify untrusted content coming from your database to be served from your site without actually Protecting your site from being on the side of accepting such things is important, but first you need to solve more serious threats so that your site does not have toxic zombies.)

+4
source share

Until it covers everything, you might consider viewing OWASP . Their 2010 Top Ten has recently been released and provides a reasonable overview of common security flaws.

+3
source share

Prevent SQL injection. Use good passwords. And always check user input (e.g. _GET and _POST vars in php).

+2
source share
  • make sure your own machine is not infected. There are many trojans that collect FTP passwords. In addition, never use FTP over an unencrypted wireless connection - there are also trojans that force an infected computer to listen to wireless communications and steal passwords. Use SFTP whenever possible.
  • find a decent host. Some cheap hosting providers do not interfere with the site changing the files of another, so no matter what you do, your site can be hacked through a vulnerability in another web page hosted on the same server.
  • Always avoid untrusted input in SQL queries. Using parameterized queries is even better.
  • Always avoid untrusted input (this includes the current URL, referent, browser user agent, HTTP headers, etc.) before displaying it on a web page. This is surprisingly complicated (see http://ha.ckers.org/xss.html for some non-obvious attacks), use a good library like an HTML cleaner instead of trying to write your own.
+1
source share

Driis gave a good answer. I would just add that using stored procedures can also be very useful.

0
source share

I would recommend you use Session and POST, not Get.

Sessions: https://www.w3schools.com/php/php_sessions.asp

You can get the information provided by the form using a message like this:

Html:

 <form acion="post.php" method="post"> <input type="text" name="somename"><br> <input type="submit" value="Submit"> </form>

Php:

 <?php $text = $_POST["somename"]; echo($text); ?>

And you should use .htpasswd and .htaccess ...

0
source share

More articles:


All Articles