Security-Check

easysystem

Hi!

I programmed a Content-Managing-System with PHP/MySQL.
Now I want to ask you how to check the security of the CMS?

Sorry for my bad english... i'm from germany

Option

Your english is perfect!

Before you decide that you want it to be secure ask yourself these questions...

1) Would anyone WANT to hack.
2) Does it matter if people hack.

If you do want to check the security... there is no real way of TESTING it.. but if you post your code I'm sure we can have a look for you.

Thanks
Jonny

planetsim

Option - They are stupid questions to ask, what happens if someone doesnt like him, and wants to hack his site.

The questions you should be really asking yourself is.

Forms
-Are they secure
-Do they check the information before being added to the database.
-Can people post Javascript into forms and work on the other end.
-Am i using Register_Globals On if so, can people just use a querystring to manipulate the data to be added to the database.

Did i ban words such as bin. Take a look at the manual for some fatal words which can destroy a database.

Includes
-Do you have includes like this <?php include($page); ?>
If so can people use the querystring and have it link to a file that can copy my website, which could contain passwords, and confidential information which will be compromised.

eg.. index.php?page=/my/bad/script.php

That is just some, of what you must think about.

Theres also your server, if its secure, but im assuming thats not your responsibility.

easysystem

here some line of perhaps 5000 lines code:

If ($HTTP_POST_VARS['nachname'] and $HTTP_POST_VARS['vorname'] and $HTTP_POST_VARS['email'] and $HTTP_POST_VARS['betreff'] and $HTTP_POST_VARS['nachricht']) {
if (!ereg("^.+@.+\..+$", $email)) {
$error3 = "Emailadresse ungültig";
.
.
.