Secure Your Sites

Below is a paragraphs explaining how to secure your site from hackers and e-punks. Some of the common holes in PHP scripts or areas in your site.

Securing Guestbooks - htmlspecialchars();

Many sites now a days use guestbooks, as seen on piczo sites or other various sites. First thing you should do ALWAYS when you have a guestbook is check for HTML holes. HTML is Hyper Text Markup Language, which is a language you should know before you get into PHP. If you know HTML as well as I do you probably know that it can mess up any site with the right code. They could use <h1> tags to make all of their text big, or make links, or just spam up your site, making it look very unprofessional. Theres an easy way to bypass these guestbook spammers. It's called htmlspecialchars();

Htmlspecialchars(); function is a really useful function, you can use it to take the comment that the user has written, and filter all HTML coding in it, example.A guestbook without htmlspecialchars(); filteration could have

HUGE TAGS LIKE THIS

Or it could have tiny tags like so.

TINY


What ever way you look at it, a guestbook that doesnt filter html could end up very badly. =( Any guestbook that filters HTML coding can alter it to any special style, making all their comments have the same size, and theres no way that hackers or noob spammers can mess it up.

Javascript injections - How To Avoid Them?!

Javascript injections will happen to many of your sites, the reason being is because people find it funny to redirect you to some stupid spam site, or to just send you a long amounts of alerts and annoy you. But theres an easy way to escape this.

Usually when you go to a guestbook, they dont filter your posts, kind of like htmlspecialchars(); the only thing though is that its pretty difficult to filter javascript. Htmlspecialchars(); doesnt quite do it, so what can you do to stop these javascript injections. Well lets first understand javascript.

Javascript scripts can do various different things, a great example is send you a popup which forces you to either cancel, or press Okay. Believe it or not, the coding to make that happen is very easy, and my cousin who is 7 could do it.

<script>alert(�This is a javascript Alert! �);</script>

That just makes a simple alert. Which you are forced take action upon it. Any person on our Planet could copy that code and paste it into a guestbook, but the tricky part is how to stop it! Well heres what you could do first. You could filter the code. Using PHP you could filter all �<� and �>� �s into �[� or �]�. Im not going to get into how to do that put you could learn how to do that from looking at PHP.net�s function list or go to scriptsyndicate.org and check out this tutorial.

Tutorial Link

http://scriptsyndicate.org?url=/tutorials/get.php&paramName1=id&paramValue1=7

Back to the main point though. Even though you can filter your forms with htmlspecialchars(); , your best bet to stop javascript injections and redirections is to filter your guestbook form with your own hand coded function. As seen in the link above.

How To Avoid Cookie Hijacking and Cross Site Scripting (XSS)

Cross Site Scripting, and cookie Hijacking can be the worst thing that happens to your site... EVER. Cross site scripting is basically, altering sessions on your site, or stealing cookies from other users, and using them for you to force your way into their account. A good video on this can be located here.

Video Link

http://www.youtube.com/watch?v=QsCbPrcpOe0

As you can see the user �chislam� was able to use a cookie logger to steal the users cookies. Okay, well lets learn how to preven that from happening. There are three easy ways to do this.

1) Stop Javascript Injections and Redirections
2) Do not save passwords and usernames as cookies on your site.
3) Encrypt Users Passwords

Number 1

As seen above, stopping javascript injections, spisifically redirects. You can protect this by filtering tags and using htmlspecialchars();

Number 2

Do NOT, and I repete, DO NOT save usernames and passwords as cookies on your site. Yes, thats right, DONT DO IT! Because, if someone was to bypass the javascript injection filters and htmlspecialchars(); (highly unlikely) or if  they post �Go to My Site and tell me what you think� when their site redirects you to a cookie logger, they have your information. This is a saying which I�ve heard more than once.

�Your Data is always in someone elses hands� - Someone

Its highly unlikely that the site would use your personal data against you but even so, if you own the site, secure it, because the last thing you want is users running away because its insecure. I personally say DO NOT SAVE Username and Password COOKIES ON THE USERS BROWSER!

Number 3

Encrypting your passwords is a very good idea. Lets say that someone gets past all of the defence you�ve set up, and you set usernames and passwords as cookies. Well if they steal that cookie, and the password is encrypted, well it will take some time for them to figure out how to decrypt it. There are many ways such as encrypting them to MD5, or SHA1, or even creating your own encryption and decryption tool. The reason for encrypting that information and decrypting it when they log in, is because suppose a hacker is able to get a username, password, database name, and a host, and can steal all of the users passwords. Well, having the passwords encrypted to your own personal way will make it much harder for hackers to decrypt it. Decrypting the md5 would make them have to work harder, and would take about an extra 10 minutes per account. While if you just have them as showing without encryption, if stolen, could result badly, because that hacker, has every username and password in your database, and they can do what ever they want.

Anyways you get the point.

That is it for article one. I am going to come out with MANY more articles, check out article 2 when its finished, it will countinue explaining how to make your site secure. Thats it for now.

_ Lucas

Edited *

My Next article should come out in about 2 weeks. Hope you all like it =)