Home page logo
/

basics logo Security Basics mailing list archives

Re: How can I secure my site?
From: Raymond <infosec () masterofbits com>
Date: Sat, 1 May 2010 08:16:50 -0400

You should not use addslashes(). That does little to protect you.
You should at the very least use mysql_real_escape_string().


On Sat, May 1, 2010 at 3:27 AM, Ali Asghar Toraby Parizy
<aliasghar.toraby () gmail com> wrote:

Hi.  my host runs php 4.x and PDO extension is not available. But I
have used sql injection addslashes() and some codes to prevent bad sql
strings.

On Sat, May 1, 2010 at 4:00 AM, Raymond <infosec () masterofbits com> wrote:
From a PHP perspective, make sure that you "clean" all of your inputs. You
should do this on the client side and also on the server side. Never trust
your data, and do not rely on Regular Expressions to clean your data. Stay
away from addslashes() as well, as that provides little protection. It may
still be possible to craft strings that will still evaluate properly to the
database. What I mean by that is when using SQL in PHP you should use
something like PDO (http://php.net/manual/en/book.pdo.php). With PDO you can
use bindings for all of your inputs. That will help prevent against SQL
injections. Hope that helps some.

http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html
http://notan00b.com/2009/08/php-pdo-and-sql-injections/


On Wed, Apr 28, 2010 at 9:05 AM, J. Bakshi <bakshi12 () gmail com> wrote:

On Wed, 28 Apr 2010 01:21:50 +0430
Ali Asghar Toraby Parizy <aliasghar.toraby () gmail com> wrote:

Hi
I have written a php website. In this site I sell some license and
serial number. I need to protect serial numbers and user names and
passwords against sniffers and crackers. Now I want to secure this
site and encrypt sessions using https.
What do i have to do?


server
========
[1] mod_security is helpful. Teach it according to your requirement.
[2] From apache or .htaccess restrict bad robots
[3] rewrite rule to redirect non http to https

php
====
php should have some sort of security obviously. Have you implemented
those ?
php gurus can suggest more.

thanks





--
Ali Asghar Torabi

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]