I would like to talk about hacks and how to secure your code in 2 levels. The 2 levels are:
- Code level.
- Server (host) level.
The rist for not securing these two levels are:
- Losing important data.
- Losing your database.
- New files and folders created on your server (hack).
- updating your current files by adding maleware script to the end of files.
PHP level security:
The PHP level will prevent injections to SQL datbase.
So, it will secure you from losing data having problem with your database.
The most thing you should know is: Don’t trust any data sent from client.
for numeric posts (POST or GET) use: "(int)" before the variable. This will change the type of it to integer (if you need it like that). See this code:
$id = (int)$_GET[‘id’];
$id = (int)$_POST[‘id’];
Also see the list of types below:
- (int) cast to integer.
- (bool) cast to boolean.
- (float) cast to float.
- (string) cast to string.
- (array) cast to array.
- (unset) cast to NULL (PHP 5).
- (binary) cast to binary (PHP 6).
When you have POST or GET data sent from client as String or TEXT, try to clean it to prevent SQL injections by using "mysql_real_escape_string($string)" function.
$text = mysql_real_escape_string($_POST[‘textfield’]);
NOTE: don’t forget to prevent access to inner files used in includes.
Server (Host) level:
Try to download the Security information test from PHP.net and upload it to your host to show your the host security levels. Download it from this link: http://phpsec.org/projects/phpsecinfo/
Here is the list of security issues and better values they should get:
- allow_url_fopen must be: 0 (disabled)
- allow_url_include must be: 0 (disabled)
- magic_quotes_gpc must be: 0 (disabled)
- register_globals must be: 0 (disabled)
- SAFE_MODE: you can turn off this feature, this feature is Deprecated in PHP 5.3 and Removed in PHP 6
Don’t forget to do the following:
- Add empty file named as "index.html" to any directoy doesn’t have any "index.html" or "index.php" files.
- Remove any write permissions on any file or folder you don’t want to change or modify.
- Add permissions to inner folders to prevent direct access.