Must know to secure your web host

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

I would like to talk about hacks and how to secure your code in 2 levels. The 2 levels are:

  • Code level.
  • Server (host) level.

The rist for not securing these two levels are:

  • Losing important data.
  • Losing your database.
  • New files and folders created on your server (hack).
  • updating your current files by adding maleware script to the end of files.

 

PHP level security:

The PHP level will prevent injections to SQL datbase.

So, it will secure you from losing data having problem with your database.
The most thing you should know is: Don’t trust any data sent from client.
So,
for numeric posts (POST or GET) use: "(int)" before the variable. This will change the type of it to integer (if you need it like that). See this code:
$id = (int)$_GET[‘id’];
// OR
$id = (int)$_POST[‘id’];

Also see the list of types below:

  • (int) cast to integer.
  • (bool) cast to boolean.
  • (float) cast to float.
  • (string) cast to string.
  • (array) cast to array.
  • (unset) cast to NULL (PHP 5).
  • (binary) cast to binary (PHP 6).

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

When you have POST or GET data sent from client as String or TEXT, try to clean it to prevent SQL injections by using "mysql_real_escape_string($string)" function.
Example:
$text = mysql_real_escape_string($_POST[‘textfield’]);

NOTE: don’t forget to prevent access to inner files used in includes.

 

Server (Host) level:

Try to download the Security information test from PHP.net and upload it to your host to show your the host security levels. Download it from this link: http://phpsec.org/projects/phpsecinfo/

Here is the list of security issues and better values they should get:

  • allow_url_fopen must be: 0 (disabled)
  • allow_url_include must be: 0 (disabled)
  • magic_quotes_gpc must be: 0 (disabled)
  • register_globals must be: 0 (disabled)
  • SAFE_MODE: you can turn off this feature, this feature is Deprecated in PHP 5.3 and Removed in PHP 6

 Don’t forget to do the following:

  • Add empty file named as "index.html" to any directoy doesn’t have any "index.html" or "index.php" files.
  • Remove any write permissions on any file or folder you don’t want to change or modify.
  • Add permissions to inner folders to prevent direct access.

 

By Alaa Badran

Front-End and Web developer

Leave a Reply

Your email address will not be published. Required fields are marked *