Must know to secure your web host


Posted on December 23rd, by Alaa Badran in Uncategorized. No Comments

Must know to secure your web host

I would like to talk about hacks and how to secure your code in 2 levels. The 2 levels are:

  • Code level.
  • Server (host) level.

The rist for not securing these two levels are:

  • Losing important data.
  • Losing your database.
  • New files and folders created on your server (hack).
  • updating your current files by adding maleware script to the end of files.

 

PHP level security:

The PHP level will prevent injections to SQL datbase.

So, it will secure you from losing data having problem with your database.
The most thing you should know is: Don’t trust any data sent from client.
So,
for numeric posts (POST or GET) use: "(int)" before the variable. This will change the type of it to integer (if you need it like that). See this code:
$id = (int)$_GET[‘id’];
// OR
$id = (int)$_POST[‘id’];

Also see the list of types below:

  • (int) cast to integer.
  • (bool) cast to boolean.
  • (float) cast to float.
  • (string) cast to string.
  • (array) cast to array.
  • (unset) cast to NULL (PHP 5).
  • (binary) cast to binary (PHP 6).

When you have POST or GET data sent from client as String or TEXT, try to clean it to prevent SQL injections by using "mysql_real_escape_string($string)" function.
Example:
$text = mysql_real_escape_string($_POST[‘textfield’]);

NOTE: don’t forget to prevent access to inner files used in includes.

 

Server (Host) level:

Try to download the Security information test from PHP.net and upload it to your host to show your the host security levels. Download it from this link: http://phpsec.org/projects/phpsecinfo/

Here is the list of security issues and better values they should get:

  • allow_url_fopen must be: 0 (disabled)
  • allow_url_include must be: 0 (disabled)
  • magic_quotes_gpc must be: 0 (disabled)
  • register_globals must be: 0 (disabled)
  • SAFE_MODE: you can turn off this feature, this feature is Deprecated in PHP 5.3 and Removed in PHP 6

 Don’t forget to do the following:

  • Add empty file named as "index.html" to any directoy doesn’t have any "index.html" or "index.php" files.
  • Remove any write permissions on any file or folder you don’t want to change or modify.
  • Add permissions to inner folders to prevent direct access.

 





Leave a Reply

Your email address will not be published. Required fields are marked *