hi if i have made a website in php using mysql as my database. however i am worried about security. is there any threat to somebody being able to hack into my site. what are the usual precautions one must take in php design?
Here's some good resources to help keep your apps secure. SQL injection is probably the biggest concern, but it is also fairly easy to prevent. The other primary concerns are XSS attacks, and session and cookie hijacking. If you have your own server, using modsecurity, suphp, and other modules can really help prevent additional damage if you do get a hacked script. http://phpsec.org/ http://www.sitepoint.com/article/php-security-blunders Also, phparch's guide to php security is a good guide if you want something in print: http://www.phparch.com/c/books/id/0973862106
ok regarding sql injection, is it about loggin in through the get variables, if so i am safe on that. what are some of the common ways hackers try to hack a website?
Have a look at "A Study in Scarlet". It's from 2001 black hat briefings and outlines common security issues very nicely http://www.securereality.com.au/studyinscarlet.txt
jestep second link is useful. So far I have blocked javascript inputs, validate get variables. Is there any other ways of vulnerabilities? how do you hack post and cookies variables?
This is the over simplified version, and you should read up on the proper things, but in short: sanitize all user input.
oh yes i almost forgot to validate my post variables. but cookies? How do people hack through cookies? Also what are some common characters not to allow in a typical user input?
People can change the value of a cookie, or better create a new cookie... It is better to use sessions, in the sessions to store "yoursitename|" . base64_encode($username) . "|" . $password; note that the $password must be encrypted with a hash (ex. sha1) Then create a checklogin to check the user and explode() the values of the session...
any example how change of cookies file in temporary files can inject things into our sql statements? I code all my website with cookies, so if you show me an example i can prevent it.
Cookie hijacking is more related to stealing other user's information. Lets say that you store authentication information in a cookie. Since the cookie is stored with your visitor, they can change the information in it and potentially get access to secure areas or steal other customer's information. When you store authentication with a session, the data is kept on your server in a temporary folder or in RAM. The user cannot change the data that is in a session, and therefore cannot gain access to places or information that they should not have access to. The drawback is that the connector between the user and the session data is a cookie (Or a url string, but this is very insecure). You then need to worry (a little) about session fixation and session hijacking, but these are easier to protect against than cookie hacking. If you're already completely committed to using cookies, you can encrypt the data in the cookie and decrypt it on your server. If you use a unique 2 way encryption (AES, DES, or other), the information will be incorrect if the visitor alters their cookie. They would need the encryption key to alter a cookie with any reasonable chance of success.