I created more than 10 PHP and MYSQL CMS Scripts. But i have no clear for how to secure that scripts. some people say use mysql_real_scape_string http://php.net/manual/de/function.mysql-real-escape-string.php Im not using OOP techniques. Then What is the best method for secure our php scripts?
Well there are some things that you need to take in account. First of all, what you're trying to prevent using the mysql_real_escape_string is an SQL Injection. Take a look at this sample code: <?php $sql = "SELECT * FROM users WHERE username = '{$_POST['username']}'"; $qry = mysql_query($sql); PHP: Now imagine that the information passed by the client was: ' OR 1 Code (markup): Your program would produce the following query: SELECT * FROM users WHERE username = '' OR 1' Code (markup): You can spot the problem, right? Now take a look at PHP docs regarding mysql_real_escape_string - it basically escapes (adds a \) to special characters, so taking the example above, if you escaped $_POST['username']your query would turn into something like: SELECT * FROM users WHERE username = '\' OR 1' Code (markup): In this case you are literally trying to find for a user who's username is ' OR 1. It will simply return no rows. To avoid these nasty situations, you should take a look into PHP's PDO class - http://www.php.net/manual/en/book.pdo.php Apart from SQL Injection there are a number of other things to watch out for (XSS, CSRF, ...). There are books written addressing these issues, I cannot expose them all in a forum post. If you have a specific question ask and we'll try to help, but you really have to do some homework and narrow down your problem to specific questions. Good luck
$message = ""; $username = $_POST['username']; $password = md5($_POST['password']); $email = $_POST['email']; //Add to Database $sql = "UPDATE table SET username='$username', password='$password', email='$email' WHERE id='1''"; mysql_query($sql) or die(mysql_error()); $message .= "Admin Datails Update Successfully"; Code (markup): This is my sample codings
proactiv3 was showing you the problem with your code. You should never use data from users in your mySQL queries until you filter it with mysql_real_escape_string(). Otherwise, a user can enter data in a way that could give them access to your entire database or worse. Your code should be something like: $message = ""; $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string(md5($_POST['password'])); $email = mysql_real_escape_string($_POST['email']); //Add to Database $sql = "UPDATE table SET username='$username', password='$password', email='$email' WHERE id='1''"; mysql_query($sql) or die(mysql_error()); $message .= "Admin Datails Update Successfully"; PHP: See mysql_real_escape_string() in www.php.net for more information on security. Good luck!
U know something, is you have a highest programming and the smartest one in the world... you never stop crackers/hackers to gain access to your system if you didn't have a good rules in your web-server such like setup mod-security +rules against Xss/mySQL attacks, CSF /or/ APF Firewall... and disable_functions with "suhosin" would be good enough to you if you would care to secure your system. You can jail Apache to increase any web vulnerabilities would be bypassed if so.. so it wouldn't effect others websites in your system. -FB
Wordpress would be secure for me, be careful when you add the plugins to be up2date and secure... the hackers may use the plugins to hack your blog, wordpress is 98% secure. Druple secure but i prefer wordpress.
You must use mysql_real_escape_string for every mysql query. Additional I always using .htaccess and .htpasswd protection for admin control panel. For example if my admin panel is on url mysite.com/admin when you try open this page you will be asked by Apache server to enter your user and password stored in .htpasswd file and only after successful authentication, you will be able to see admin login page. Also if you have static IP address from your ISP, you can use IP protection.