4 replies to this topic

[Indigo]

I'm thinking a lot about security issues nowadays, and I'm wondering about different functions. These are the one's I use/know of by far:
stripslashes
wordwrap (so people shouldn't be able to write really long words)
htmlentities
htmlspecialchars
In addition, I use md5 and sha1 for password protection.

Now, first of all - is there some of these I don't have to use?
And is there any more I should use, is there some
I know similar questions has been posted earlier, but they did not quite answer my questions. Also, in some tutorials I've seen, people advice to not allow "--", ";" and "&" in posts, why is that?

Hope somebody can help me

[Chaos King]

Well, it all depends on what you are trying to add your security to. If you want only numbers, you can run a regex against the string. Regex is a good way to filter out most unwanted strings and such.

is_numeric() is one if you want to make sure that the string is an actual number

etc. Just check up on some security posts on php.net, they have a lot more suggestions and things.

If people advice not to allow those characters, they don't know what they are talking about. You can allow as long as you know how to not make it able to exploit your script. As in changing all html characters to their raw form. With certain characters, they can send exploits through your script/database and can cause your whole site to go done. Depends on how badly it was coded though

[Indigo]

Well, to be honest, I'm far from being a skilled coder, so it's quite bad
What I mainly want is to avoid someone from accessing my databases in any way, and destroy my site. If someone writes a dirty word in my guestbook, I can just delete the post, but things get a bit harder when dealing with injections and such.
A friend of mine said that striplashes is everything I need to use in my login forms and comment-systems, but I'm really not sure at all. Is he right?

[Hacker-X]

I have a suggestion, in all of your databases make sure the type of field is appropriate for example you may want a small number so use int(3) instead of varchar(20). Another example, you're running a small CMS for yoursite and its all completed except the CMS in your database you use varchar(255), which is a big mistake, unless your title will be 255 characters.

Htmlspecialchars, stripslashes, wordwrap are all very good at securing database before submitting it to the database. I'd recommend using MD5 over SHA1 because rumor has it that an algorithm has been discovered for SHA1 which means its not viable to use as a solid encryption algorithm.

Brute forcing is the act of using a piece of software to send password "guesses" to the database and once the brute force attacker is in depending on what the control panel is, your site may cease to exist. In order to detour brute forcing be sure to only allow X amount of failed login attempts. In addition also make sure that you have the person's IP address even if he or she is on a proxy server. IP ban if you have to.

Here are some good tutorials to help with security:
http://www.pixel2life.com/tutorials/PHP_Co...d=1&ss=security

Edited by Hacker-X, 06 May 2006 - 07:46 AM.

[Indigo]

I've thought of the restrictions on X-logins before, but never as a way to avoid brute forcing.
There are sites today where you can insert md5 and sha1-crypting and you might be lucky and get the original word. Later on, I will do something like this:
Insert password
Encrypt in both md5 and sha1
Check database if password matches both md5 and sha1

I've read somewhere that it's better.
Thanks a lot for the tips!