Security

[Norman]

If I'm developing a web site, wich type of precautions should I use, for have a secure site?

[Anders Moen]

If you use for example inputs so people can add things, that'll go into a database, you should use something like mysql_real_escape_string (read more)

[aspnetguy]

that depends on what the website will do. Will you have users logging in? Will you be dealign with personal/sensitive information? you may want to have SSL

[Norman]

Do you know Gaia Online (www.gaiaonline.com)?Something like that, for italian people, and without all that features!

[justsomeguy]

If you're going to develop a major site, you have to worry about people hacking into the database or gaining access to other people's accounts. Read up on SQL injection attacks and how to guard against them:http://en.wikipedia.org/wiki/SQL_injectionAnd put some thought into if you even want to use cookies, and if so, what information you want to store in them. You won't want to create cookies that can be copied to another computer and used to login to the site.If you're doing any payment processing you will definately want to use SSL.

[Norman]

Thanks for link and advice. However I think I'll not provide payment processings. But let me know one thing. If I follow all these information, during developing my site, then I will be 100% secure? I think no.. right?

[Jonas]

There's no such thing as 100% secure. You can possibly, but not probably, be 100% prepared though, meaning you have taken all the precautions you can, both securing the server and the pages themselves against attacks.

[Norman]

For securing my server, what could I do? I'm hosted by an italian provider.

[aspnetguy]

If you are using a hosting provider then they should have taken care of securing their server before selling you space.

[Norman]

How can I verificate this, if possible?

[aspnetguy]

not really, your host won't tell you even if they have some security holes. There are no legal ways, that I know of, to test this.

[Norman]

Oh, ok. So we only hope! :)Ah, another question. Wich 'languages' need I know, for keep my site secure? Excluded that ones I use for pages.

[justsomeguy]

There are no "security languages". Your site is only as secure as you make it. If you use good PHP practices and understand the language, then your site will be more difficult to compromise than a site that has sloppier code in it.

[Norman]

Yes, but, for example, I will absolutly need to know MySQL (if I will do interactive sites), right?

[aspnetguy]

yes you will need to know SQL if you want to interact with databases, but again, how you write the code determines how secure it is.

[Norman]

Ok, I've another question. If I will be hacked, from where I can see where is the bug, later?

[Xenon Design]

Well to know your weakness you have to know how they attacked you and possibly where (what page). From there you'll have to read the code and find the weakness.Its usally a SQL that takes an input like get, post or a cookie and not checked by a 'anti hack' script/function.

[smiles]

Ok, I've another question. If I will be hacked, from where I can see where is the bug, later?

Mostly, they will change your index pageor worse, they will delete all your file and database .

[Norman]

Well to know your weakness you have to know how they attacked you and possibly where (what page)

And how can I get know of this?

Its usally a SQL that takes an input like get, post or a cookie and not checked by a 'anti hack' script/function.

I haven't understand, sorry..

Mostly, they will change your index pageor worse, they will delete all your file and database .

And, for example, could a hacker use my code that isn't correctly closed (for example)? An <if> that have not its closed tag... this type of things.

[Xenon Design]

They will mainly only attack databases and if they can access the pages they will edit them.The way they can delete your database is by exploiting weakneses in your SQL syntax. Heres a common mistake:

$sql = "SELECT * FROM users WHERE username ='".$_POST['username']."' AND password = '".$_POST['password']."'";$query = mysql_query($sql);

That can be exploited by any SQL Hacker novice. So thats an example of a BAD system. Heres a good one:

$user = ereg_replace("[^A-Za-z0-9\-\_]", $_POST['username']);$pass = md5($_POST['password']);$sql = "SELECT * FROM users WHERE username ='".$user."' AND password = '".$pass."'";$query = mysql_query($sql);

So the key here is making sure no user submitted data from forms (input boxes etc.) is not a hack.Theres more advanced ways to secure stuff but basically the main thing you have to look out for if you have a database is the user submitted data.You wont be hacked by a faulty script Just an error message :)I hope you understand that BTW Im using PHP as the examples. ASP and others will be different.

[Norman]

I hope you understand that

Really thanks!

BTW Im using PHP as the examples. ASP and others will be different.

*I'm a noob with SQL, I need to study it*: So, is there a different syntax per language, using SQL?

[Xenon Design]

SQL is standard over all languages it just how I wrote the code around it.Jump on to the W3S website and go learn SQL Its DEAD simple and should only take 1 hr tops to learn.

[Norman]

What you mean with "DEAD"? However, before I need to learn PHP (and maybe XML), for my vBulletin!