Security Basics mailing list archives
Re: How can I secure my site?
From: Raymond <infosec () masterofbits com>
Date: Sat, 1 May 2010 08:16:50 -0400
You should not use addslashes(). That does little to protect you. You should at the very least use mysql_real_escape_string(). On Sat, May 1, 2010 at 3:27 AM, Ali Asghar Toraby Parizy <aliasghar.toraby () gmail com> wrote:
Hi. my host runs php 4.x and PDO extension is not available. But I have used sql injection addslashes() and some codes to prevent bad sql strings. On Sat, May 1, 2010 at 4:00 AM, Raymond <infosec () masterofbits com> wrote:From a PHP perspective, make sure that you "clean" all of your inputs. You should do this on the client side and also on the server side. Never trust your data, and do not rely on Regular Expressions to clean your data. Stay away from addslashes() as well, as that provides little protection. It may still be possible to craft strings that will still evaluate properly to the database. What I mean by that is when using SQL in PHP you should use something like PDO (http://php.net/manual/en/book.pdo.php). With PDO you can use bindings for all of your inputs. That will help prevent against SQL injections. Hope that helps some. http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html http://notan00b.com/2009/08/php-pdo-and-sql-injections/ On Wed, Apr 28, 2010 at 9:05 AM, J. Bakshi <bakshi12 () gmail com> wrote:On Wed, 28 Apr 2010 01:21:50 +0430 Ali Asghar Toraby Parizy <aliasghar.toraby () gmail com> wrote:Hi I have written a php website. In this site I sell some license and serial number. I need to protect serial numbers and user names and passwords against sniffers and crackers. Now I want to secure this site and encrypt sessions using https. What do i have to do?server ======== [1] mod_security is helpful. Teach it according to your requirement. [2] From apache or .htaccess restrict bad robots [3] rewrite rule to redirect non http to https php ==== php should have some sort of security obviously. Have you implemented those ? php gurus can suggest more. thanks-- Ali Asghar Torabi
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: How can I secure my site? Ali Asghar Toraby Parizy (May 03)
- Re: How can I secure my site? Raymond (May 03)
- Re: How can I secure my site? Jeff MacDonald (May 03)
- <Possible follow-ups>
- Re: How can I secure my site? Ali Asghar Toraby Parizy (May 03)
- Re: How can I secure my site? Walter Goulet (May 03)
- Re: How can I secure my site? Todd Haverkos (May 03)
- Re: How can I secure my site? Andrew Miller (May 03)
- Re: How can I secure my site? Florian BLANC (May 03)
- Re: How can I secure my site? Raymond (May 03)