programming for website security

Forum Moderators: phranque

Message Too Old, No Replies

programming for website security

what can a programmer do? is it the host's job?

javahava

9:18 am on Jun 30, 2005 (gmt 0)

if you run a content website (no e-commerce) that uses php and a mysql database, what security programming measures can you take to ensure that someone doesn't hack / deface / erase your site and its data? is that all of the host's job? what are some typical mistakes that programmers do that leave themselves to hacking? what can a programmer do on the coding end?

Red_Eye

9:35 am on Jun 30, 2005 (gmt 0)

As far as physical security of the server and the configuration of firewalls and network the server is on I think that this is upto the host (This will depend on you package as you do pay for what you get)

But a host will issue you will passwords and access details and passwords, that will allow you access to the server and their network. It is then upto you to make sure that these details are kept secure and that you don't use easy to guess passwords.

Then it comes to the security of you website. As the programmer you need to make sure you put the safe guards in place to ensure that users/hackers don't gain access to areas you don't want either by accident (users) or on purpose (hackers).

Things like sql Injection are worth looking into. I have just spent some time testing my own site about this sort of attack, an have tightened up the code.

j4mes

10:03 am on Jun 30, 2005 (gmt 0)

Anywhere a user can input something, look at your code and ask yourself "what if I entered...".

For example, if you aren't using htmlspecialchars(), etc., on things that get outputted back to a page, what would happen if you were to put:

"; include("/etc/passwd");

The other big one, as Red_Eye said, is SQL injection.

There are plenty of resources on preventing it if you Google around, but basically if you know enough to code SQL, think about what happens when you enter more through your website interface.

MatthewHSE

11:06 pm on Jun 30, 2005 (gmt 0)

There's one site I'm a part of where there are little "shoutboxes" where you can exchange messages with other members. I've found that you can enter

</textarea>

into the input field for the shoutbox, followed by any HTML, CSS, JS, etc., that you choose. Effectually gives full access to the page; a big no-no in my opinion.

ckarg

1:37 pm on Jul 1, 2005 (gmt 0)

Use mysql passwords. If you have php scripts that only display data from the database, have them log in with a username/pwd combo that only has SELECT access, but no INSERT or UPDATE or DELETE.

Also, follow the advice in the php READMEs about securing the production environment.

Easy_Coder

10:53 pm on Jul 1, 2005 (gmt 0)

what can a programmer do on the coding end?

Take an absolutely unbending approach to data validation and assume that *all* user supplied data is bad until programatically proven otherwise.

I did an application code review recently and found that none of the user supplied data was validated and so I was able to get right past security with sql injection. You would not believe what type of information I had access to and I could have easily deleted tables and data.