Jump to content

How Do I Make My Website Safer From Hackers?


kensbeijing

Recommended Posts

The website I am making has been planned to handle a lot of traffic and a lot of people will visit it hopefully. But a problem that this has is that it's more vulnerable to hackers. I'm using plain old HTML for my web pages, but I'm going to implement PHP for my mysql database that I need to keep safe. The database connection info will be in a separate folder which will be locked with a password. Does anyone have anymore tips of things I could do to make it safer?

Link to comment
Share on other sites

Anything thats going to be user inputted has to be thoroughly checked before it goes into the database to prevent sql injections and other nasty stuff. There a few php functions to help you with this, like adding/stripping slashes, preventing html tags getting through etc..Are you just retrieving stuff from the DB? If so, make sure your DB user only has permissions to retrieve info, not update, delete, add stuff into the DB.Prevent direct access to your script files too is another good idea.:)

Link to comment
Share on other sites

One trick, if your Hosting account allows for it, is to place the Configuration files/folder "above" the public_html folder in the account.It makes it more difficult to access from the web.Check ALL user input for nasty stuff.Rename your Admin section to something other than Admin.Check ALL user input for nasty stuff.Use a secure Login method. Check out encryption and the use of 'salts' for passwords.Check ALL user input for nasty stuff.Use mysql functions to escape data before placing into the DB.Check ALL user input for nasty stuff.Keep current on the version of software you use.Check ALL user input for nasty stuff.Oh, and always, alway, always check ALL user input for nasty stuff. Did I mention that yet???

Link to comment
Share on other sites

If you are transmitting really sensitive data (e.g. credit card numbers) you may want to pruchase a SSL sertificate so you can use HTTPS.For input filtering, you can use mysql_real_escape_string().

Link to comment
Share on other sites

If you are transmitting really sensitive data (e.g. credit card numbers) you may want to pruchase a SSL sertificate so you can use HTTPS.For input filtering, you can use mysql_real_escape_string().
What does mysql_real_escape_string() actually do? I see it quite a lot, but I don't really understand it.
Link to comment
Share on other sites

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
Those characters are null, newline, linefeed, backslash, single and double quotes, and 0x1a is a "substitute" character (not sure what that's for).
Link to comment
Share on other sites

  • 1 month later...

mysql_connect(servername,username,password);Im using XAMPP, so on my files where i connect to my MYSQL db, my servername by default is localhost, username is 'root', and the password is blank.When i host, do i need to change this, even if i place my mysql db in a secure directory?

Link to comment
Share on other sites

When i host, do i need to change this, even if i place my mysql db in a secure directory?
SQL databases do not operate on a "directory". They operate on a database server. When you host your DB at your computer with XAMPP, your DB server becomes the same as your web server, i.e. localhost (or your IP address).If you host your site on another place, you may either connect to your home database by using your IP as your host, or use whatever the host gave you as the DB address. The DB username and password are determined by the DB server, so if you connect to your home one, you can use whatever username and password you specify there (note: by default, "root" and no password is not available for remote computers, and that's good, because you'll otherwise have a bunch of hackers writing in your DB without you knowing). If you connect to your host's DB server, you must use whatever username and password they give you (and it sure won't be "root" with no password, as that's the account that would give you full privilages to all databases on the DB server).
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...