I am trying to make sure my web site is completely locked down from any one attempting to tamper with it through injection. http://www.nonamestudios.com/ The web site is a completely custom made layout, PHP scripting, and database design in a blogging like structure. 1.) All of the post information being browsed by regular visitors is being access by a database user that has SELECT privileges only. 2.) index.php only accepts ?p= as its variables. If p has any thing besides 1234567890 or is not numeric it ignores it and dumps the user back to the home page. http://www.nonamestudios.com/index.php?p=7 http://www.nonamestudios.com/index.php?p=gh7 3.) Comments are posted to a separate database on the same database server. If this was compromised I can just drop and recreate the table.(Comment system is currently disabled and hidden as I work on improving its anti-spam.) 4.) The administrator section is completely obscured and protected since it has full access to the database. Unfortunately I am not using any thing like magic quotes since it is deprecated and never sanitized further than making sure the requested page number was an integer. I am sure there are some other simple steps I can take to improve my security. I searched around the old posts, but nothing really popped out saying that is what else I could do!
Wow man, your site is probably secured better then my bank site One thing you didn't mentioned is register_globals (should be set to off). Set: error_reporting(0); ini_set('display_errors', 'off'); PHP: and you are good to go. Usually using custom software is more then enough. If someone wants to hack software then he has to have it first to check code for the possible holes, if not then he can try popular attacks thru $_GET and $_POST. Remember also about cross site scripting when you allow useres to post comments.
I am a bit paranoid about security. ^_~ register_globals is off by default. Normally I prefer error reporting, but those are great tips. I stuck them in my live version and keeping it out of my test versions. I will be sure add in some code to encode HTML brackets and other potential nasties for my comments. I almost forgot about that! I believe there is a function for that, but otherwise I will write one if needed.
There are at least two functions in PHP that allow converting chars to html entities: htmlspecialchars, htmlentities, i prefer second one becuase it can also convert quotes.
Few of my suggestions would be: 1) Filter input values. I hope that is done in your project at all levels. 2) Use mysql_real_escape_string() PHP: function in your SQL statement helps a lot. 3) For better session management use both database + cookie driven approach. Bump anyone out for a slight change in IP address. 4) Ensure that any form has been submitted from your site only. Please remember security is a ongoing endeavour mate, there is no one time approach. Krish
Krish, I tossed in the mysql_real_escape_string to escape all of my inputs for my commenting system.(Which is now back up and running.) Most of it was already filtered to automatically deny comments and such which invalid characters, but with the new functions and checking it is much more robust. Honestly, there is no log in for any one on the site. There are no cookies kept because of that.