I have a question. I made a huge php project with a lot of logic in it. I have javascript, json communication, users, complex users panel, complex admin panel, cron and so on. Till now I never made public such big php project, I have some java portals running but the security is very different when you use java and java related technologies. I think I made it secure enough but you can never be sure in this. How to test it without any harm?
The best thing to do is to know what sort of things you are up against. One great resource to read comes from the security articles on addedbytes Article 1 Article 2 Article 3 Article 4
Hey thanks for the article link, Jay. Security is a bear, as fast as you can implement a plug, someone is finding a new hole. Keeping up with available tools and techniques for protecting your site and data is a neverending task.
Yep, thanks for the articles (but they are on beginners level) I need some personal advice maybe ... I don't know what I need I think I'll just take the risk and keep an eye on the logs.
SQLI, BSI, XSS, CSRF, LFI, BFA, respectively neutralized by mysql(i)_real_escape_query (both SQLI and BSI, but be very careful about the second one), htmlentities (strip_tags is more secure, but you don't want to always do that), CAPTCHA or some kind of action key in every form (and I mean EVERY form, especially sensitive ones like changing password, probably the biggest hole for sites like RapidShare, also don't use $_REQUEST global variable), absolute inclusion paths (this is pretty rare and "lame" security hole, but if you make it, you're doomed) and as for brute force/dictionary attack... well, making a "loggin_attempts" SQL table and logging stuff like that can save you, but too much SQL search queries at the same time for large tables may crash your server, so you may want to log and limit them too.