 |  |  |  |  |  |  |  |
How to find out a website is secure?
Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases
 |
•
•
Join Date: May 2008
Posts: 67
Reputation: 
Solved Threads: 3
Junior Poster in Training
Hello all,
I am all set to launch a website on which i have been working from months but now am afraid how safe it might be once it gets attention of hackers . As most of the code in website is in PHP,html,mysql i am posting this in this forum so that i can get suggestions from you all. Websites that are developed by Big companies might undergo testing from various testing tools , tests from hired ethical hackers ,etc, before getting launched where as what about websites that cant afford all those expensive methods. I understand that without undergoing all those procedures no website could be hacker safe but any suggestions about measures to be taken before launching a website would be appreciated.
Thank you all in advance.
I am all set to launch a website on which i have been working from months but now am afraid how safe it might be once it gets attention of hackers . As most of the code in website is in PHP,html,mysql i am posting this in this forum so that i can get suggestions from you all. Websites that are developed by Big companies might undergo testing from various testing tools , tests from hired ethical hackers ,etc, before getting launched where as what about websites that cant afford all those expensive methods. I understand that without undergoing all those procedures no website could be hacker safe but any suggestions about measures to be taken before launching a website would be appreciated.
Thank you all in advance.
Last edited by Kavitha Butchi; Aug 10th, 2008 at 12:14 pm.
•
•
Join Date: Dec 2004
Posts: 4,188
Reputation: 
Solved Threads: 482
Ask your self
- Did you do everything to prevent SQL injection
- Do you use id values as indentificators, did you secure option for array exploit
- Are you using RSS feeds, are they secure
- Hosting, who is responsible for website security? You or your web hosting company? Are the folder permission set correctly?
Learn to see in another's calamity the ills which you should avoid.
Publilius Syrus
(~100 BC)
LJC - London Java Community, Graduate & Undergraduate Software Development Community, JAVAWUG (Java Web User Group), The London Android Group
Publilius Syrus
(~100 BC)
LJC - London Java Community, Graduate & Undergraduate Software Development Community, JAVAWUG (Java Web User Group), The London Android Group
Take a look here for a couple of small functions that will help you, in terms of handling user input.
Also, if you're passing a variable from $_GET, then you can use a type-finding function to help your security. Eg. if you have something like "?id=53" in your URL, then you can just check it using the isnumeric() function. Then no hackers will have a chance.
Remember, if you have no user input, then you'll be perfectly safe. But if you have input, then remember the number one security rule (well, mine, anyway): you can never trust the user.
Also, if you're passing a variable from $_GET, then you can use a type-finding function to help your security. Eg. if you have something like "?id=53" in your URL, then you can just check it using the isnumeric() function. Then no hackers will have a chance.
Remember, if you have no user input, then you'll be perfectly safe. But if you have input, then remember the number one security rule (well, mine, anyway): you can never trust the user.
•
•
Join Date: Jul 2008
Posts: 1,072
Reputation:
Solved Threads: 98
hello see this article is really nice:
http://info.ssl.com/article.aspx?id=10068
http://webdesign.about.com/od/ecommerce/a/aa070407.htm
And keep in mind:
->encode and decode your passwords perfectly..
->be careful about using trusted payment gateways...
->be away of sql injections..
http://info.ssl.com/article.aspx?id=10068
http://webdesign.about.com/od/ecommerce/a/aa070407.htm
And keep in mind:
->encode and decode your passwords perfectly..
->be careful about using trusted payment gateways...
->be away of sql injections..
Last edited by Shanti Chepuru; Aug 11th, 2008 at 7:06 am. Reason: added one more line
Be intelligent, But Don't try to cheat.. Be innocent But Don't get cheated..
•
•
Join Date: May 2008
Posts: 67
Reputation:
Solved Threads: 3
Junior Poster in Training
Thank you peter_budo, Demiloy and Shanthi for your time.
I shall look into all those security measures now and shall make sure I complete all of them before releasing the site.
If anybody knows some more security measures that are to be taken before launching a website please share them here.
Appreciate your time in advance
Thank you
I shall look into all those security measures now and shall make sure I complete all of them before releasing the site.
If anybody knows some more security measures that are to be taken before launching a website please share them here.
Appreciate your time in advance
Thank you
Kavitha
I Love My Indonesia.
I Love My Indonesia.
•
•
Join Date: May 2008
Posts: 67
Reputation:
Solved Threads: 3
Junior Poster in Training
[QUOTE=peter_budo;666783][list=1]
[*]Do you use id values as indentificators, did you secure option for array exploit
Hi peter_budo,
Can you please tell what are indentificators..
Thanks in advance
[*]Do you use id values as indentificators, did you secure option for array exploit
Hi peter_budo,
Can you please tell what are indentificators..
Thanks in advance
Kavitha
I Love My Indonesia.
I Love My Indonesia.
•
•
Join Date: Dec 2004
Posts: 4,188
Reputation:
Solved Threads: 482
I can not remember exactly what was it but it had something to do with "id" passing values in following format WEB_ADDRESS/page.php?id=32, when adding square brackets [] after "id" will show site structure. I will try to find where I read about it and let you know.
Learn to see in another's calamity the ills which you should avoid.
Publilius Syrus
(~100 BC)
LJC - London Java Community, Graduate & Undergraduate Software Development Community, JAVAWUG (Java Web User Group), The London Android Group
Publilius Syrus
(~100 BC)
LJC - London Java Community, Graduate & Undergraduate Software Development Community, JAVAWUG (Java Web User Group), The London Android Group
•
•
•
•
Originally Posted by peter_budo 
I can not remember exactly what was it but it had something to do with "id" passing values in following format WEB_ADDRESS/page.php?id=32, when adding square brackets [] after "id" will show site structure. I will try to find where I read about it and let you know.
•
•
Join Date: May 2008
Posts: 67
Reputation:
Solved Threads: 3
Junior Poster in Training
thnx Demiloy & Peter_budo I made use of is_numeric().
Now,
when user manipulates the url like,
when the url is www.example.com/xyz.php/userid=22
how to avoid displaying results when user changes the userid from 22 to someother number in the url.
Basically, my site has a search page, when on submitting the username in search, if username exists then linnk is given.
when clicked ,www.example.com/xyz.php/userid=22 appears in the address bar.
how to avoid displaying results when users manipulates the userid there?
Anyhelp is apreciated.
Thankyou all.
Now,
when user manipulates the url like,
when the url is www.example.com/xyz.php/userid=22
how to avoid displaying results when user changes the userid from 22 to someother number in the url.
Basically, my site has a search page, when on submitting the username in search, if username exists then linnk is given.
when clicked ,www.example.com/xyz.php/userid=22 appears in the address bar.
how to avoid displaying results when users manipulates the userid there?
Anyhelp is apreciated.
Thankyou all.
Last edited by Kavitha Butchi; Aug 16th, 2008 at 5:40 pm.
•
•
Join Date: Dec 2004
Posts: 4,188
Reputation:
Solved Threads: 482
You do not want to keep user identification as part of the URL. Put these data into session.
Learn to see in another's calamity the ills which you should avoid.
Publilius Syrus
(~100 BC)
LJC - London Java Community, Graduate & Undergraduate Software Development Community, JAVAWUG (Java Web User Group), The London Android Group
Publilius Syrus
(~100 BC)
LJC - London Java Community, Graduate & Undergraduate Software Development Community, JAVAWUG (Java Web User Group), The London Android Group
|
Similar Threads
- cannot open one particular website (Web Browsers)
- Certain Web Pages Dont Load (Web Browsers)
- Help needed for newbie trying to set up subscription-based website (PHP)
- Secure MP3 Downloads ?? Help Needed (PHP)
- Hosting Serenity has done some renovations! Find out what is new! (Web Hosting Deals)
- *Get a Custom Drawn Mascot for your WEBSITE!* (Post your Resume)
- "Cannot find server or DNS Error" (Viruses, Spyware and other Nasties)
- can't connect to any secure website (Web Browsers)
Other Threads in the PHP Forum
- Previous Thread: Image upload from, Form into Folder and MySQL
- Next Thread: create array from string of values
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest PHP Posts
- Today's Posts
- Unanswered Threads
apache api array beginner binary body broken buttons cakephp checkbox class cms code cron curl database date date/time display dynamic ebooks echo email error file files folder form forms function functions global google href htaccess html image include insert ip javascript joomla limit link list login mail mediawiki menu mlm msqli_multi_query multiple mycodeisbad mysql number oop parameter paypal pdf php phpincludeissue problem query radio random recourse recursion regex remote script search seo server sessions sms source sp space speed sql static subdomain syntax system table tag tutorial update upload url validator variable vbulletin video web webdesign white wordpress xml youtube
