Secure Your Sites
Below is a paragraphs explaining how to secure your site from hackers and e-punks. Some of the common holes in PHP scripts or areas in your site.
Securing Guestbooks - htmlspecialchars();
Many sites now a days use guestbooks, as seen on piczo sites or other various sites. First thing you should do ALWAYS when you have a guestbook is check for HTML holes. HTML is Hyper Text Markup Language, which is a language you should know before you get into PHP. If you know HTML as well as I do you probably know that it can mess up any site with the right code. They could use <h1> tags to make all of their text big, or make links, or just spam up your site, making it look very unprofessional. Theres an easy way to bypass these guestbook spammers. It's called htmlspecialchars();
Htmlspecialchars(); function is a really useful function, you can use it to take the comment that the user has written, and filter all HTML coding in it, example.A guestbook without htmlspecialchars(); filteration could have
HUGE TAGS LIKE THIS
Or it could have tiny tags like so.
What ever way you look at it, a guestbook that doesnt filter html could end up very badly. =( Any guestbook that filters HTML coding can alter it to any special style, making all their comments have the same size, and theres no way that hackers or noob spammers can mess it up.
That just makes a simple alert. Which you are forced take action upon it. Any person on our Planet could copy that code and paste it into a guestbook, but the tricky part is how to stop it! Well heres what you could do first. You could filter the code. Using PHP you could filter all “<” and “>” ‘s into “[“ or “]”. Im not going to get into how to do that put you could learn how to do that from looking at PHP.net’s function list or go to scriptsyndicate.org and check out this tutorial.
How To Avoid Cookie Hijacking and Cross Site Scripting (XSS)
Cross Site Scripting, and cookie Hijacking can be the worst thing that happens to your site... EVER. Cross site scripting is basically, altering sessions on your site, or stealing cookies from other users, and using them for you to force your way into their account. A good video on this can be located here.
As you can see the user “chislam” was able to use a cookie logger to steal the users cookies. Okay, well lets learn how to preven that from happening. There are three easy ways to do this.
2) Do not save passwords and usernames as cookies on your site.
3) Encrypt Users Passwords
“Your Data is always in someone elses hands” - Someone
Its highly unlikely that the site would use your personal data against you but even so, if you own the site, secure it, because the last thing you want is users running away because its insecure. I personally say DO NOT SAVE Username and Password COOKIES ON THE USERS BROWSER!
Encrypting your passwords is a very good idea. Lets say that someone gets past all of the defence you’ve set up, and you set usernames and passwords as cookies. Well if they steal that cookie, and the password is encrypted, well it will take some time for them to figure out how to decrypt it. There are many ways such as encrypting them to MD5, or SHA1, or even creating your own encryption and decryption tool. The reason for encrypting that information and decrypting it when they log in, is because suppose a hacker is able to get a username, password, database name, and a host, and can steal all of the users passwords. Well, having the passwords encrypted to your own personal way will make it much harder for hackers to decrypt it. Decrypting the md5 would make them have to work harder, and would take about an extra 10 minutes per account. While if you just have them as showing without encryption, if stolen, could result badly, because that hacker, has every username and password in your database, and they can do what ever they want.
Anyways you get the point.
That is it for article one. I am going to come out with MANY more articles, check out article 2 when its finished, it will countinue explaining how to make your site secure. Thats it for now.
My Next article should come out in about 2 weeks. Hope you all like it =)