Unfortunately there will always be some one out there on the world wide web who will attempt to break any thing they can find on the Internet so you owe it to your visitors/ members to ensure nothing malicious is being hidden on your site and there info isn't being stolen. In this article i will cover 5 important steps you need to take to make sure your web site's secure.
MySQL Injection
Every single piece of user inputted data should be treated as if it was an attack on your script. When running MySQL queries if you don't treat user inputted data before using it in the query a hacker could cause you a number of problems, for example.
<?php /* Online PHP Examples with Source Code website: http://4evertutorials.blogspot.in/ */ $sql = mysql_query("SELECT FROM users WHERE username = '". $_POST["username"] ."' && password = '". $_POST["password"] ."'); ?>
Lets say you were using this code to allow users to login, What if instead of a user entering a password they entered ' OR
username
= 'admin then the query would look like this.<?php /* Online PHP Examples with Source Code website: http://4evertutorials.blogspot.in/ */ $sql = mysql_query("SELECT FROM users WHERE username = '' && password = '' OR username = 'admin'"); ?>
They would now be logged in as the admin and gain access to all your administrative tools. Using this method of exploitation hackers would also be able to delete records, force errors and all sorts. So to prevent this we use a php function called mysql_real_escape_string, so before using this user inputted data in our query we would simply do this.
<?php /* Online PHP Examples with Source Code website: http://4evertutorials.blogspot.in/ */ $username = mysql_real_escape_string( $_POST["username"] ); $password = mysql_real_escape_string( $_POST["password"] ); $sql = mysql_query("SELECT FROM users WHERE username = '". $username ."' && password = '". $password .'"); ?>
mysql_real_escape_string is a MySQL function which prepends backslashes to the following characters x00, n, r, , ', " and x1a.
CSRF Attacks
CSRF pronounced sea-surf is an abbreviation of "Cross Site Request Forgery". The basic principal behind CSRF attacks is instead of gaining access to a site's control's forcing actions on a user, for example.
pages.php
<?php /* Online PHP Examples with Source Code website: http://4evertutorials.blogspot.in/ */ echo ''; ?>
delete.php
<?php /* Online PHP Examples with Source Code website: http://4evertutorials.blogspot.in/ */ if( logged_in() == false ) { // User not logged in die(); } // User logged in $page_id = mysql_real_escape_string( $_GET["page_id"] ); $query = mysql_query("DELETE FROM pages WHERE page_id = '". $page_id ."'"); ?>
Lets say this was part of your script and you as an admin used it to delete pages, Now obviously if a hacker were to visit this page they wouldn't be able to do any thing because we have a check at the very top to see if the user is logged in or not. But if you were logged in and then some one told you to visit a web page and on that page was an image like this.
<?php /* Online PHP Examples with Source Code website: http://4evertutorials.blogspot.in/ */ ?>
You would have just deleted what ever page had the id "20" to fix this issue its very simple all you need to do is use tokens so on pages.php you would generate a unique id and set it as a session and then you would check for that id on delete.php if they don't match then kill the script.
pages.php
<?php /* Online PHP Examples with Source Code website: http://4evertutorials.blogspot.in/ */ session_start(); $id = md5(uniqid(mt_rand(), true)); $_SESSION["token"] = $id; echo ''; ?> delete.php
<?php /* Online PHP Examples with Source Code website: http://4evertutorials.blogspot.in/ */ if( logged_in() == false ) { // User not logged in die(); } // User logged in $page_id = mysql_real_escape_string( $_GET["page_id"] ); $token = mysql_real_escape_string( $_GET["token"] ); if( $_GET["token"] != $_SESSION["token"] ) { die(); } $query = mysql_query("DELETE FROM pages WHERE page_id = '". $page_id ."'"); ?>
Using this simple solution we can prevent CSRF attacks and prevent a number of security issues.
XSS Attacks
XSS (Cross site scripting) can cause web site's huge problems. The general idea of XSS is embedding code on your web site without you know which will cause your visitors to download something they don't want to. For example if you had a comment system on your web site and no checks were run on comments being posted any one could come along and make a comment like this.
<?php /* Online PHP Examples with Source Code website: http://4evertutorials.blogspot.in/ */ What a wonderful news entry ?>
Now all you would see is "What a wonderful news entry" but that comment could be doing all sorts such as collecting cookie information off your visitors, downloading viruses onto their computers and so on. Luckily we have a simple fix for this, When you are about to save the comment in your database you should of course escape the comment text to prevent mysql injections but also you should use htmlspecialchars this will stop any bad code making it into your comments or other user posted data by changing characters such as < into their html codes e.g <.
Script functionality
This may be pretty obvious but i've seen a number of web site's that function poorly thus making there service less secure for their users. For example a user should not be able to attempt to login hundreds of times if they keep getting there password wrong, After about 5 attempts they should be frozen out for about 15 mins. If you are building a "forgot your password" facility into your script then by entering there username, email address and date of birth they should not be able to recover their password to another email address. You should also force people to enter a captcha when they are leaving a comment or post on your web site to make sure you don't have problems with bots and if they are posting any thing on your site they should have to wait at least 30 seconds between posts to stop people trying to crash your site by getting a bot to submit thousands of comments at once.
Error reporting
If there is an issue with your web site, The last person in the world you want knowing about it is a potential hacker because there is a chance that error could lead them to a way to exploit your script. So make sure that any script you put live you turn error reporting off.
<?php /* Online PHP Examples with Source Code website: http://4evertutorials.blogspot.in/ */ error_reporting(0); ?>
Now if your script throws any sort of error at you it will not be seen by your users.
I hope this tutorial has helped you understand some of the vital measures that must be taken to stop hackers ripping your web sites to pieces.
0 comments:
Post a Comment