Testing Site Security

naifwonder

Hey how's it going people? I've been working on the site below for some time now and I am planning on completely launching it soon.

http://www.immortalgaming.com

I don't have any "formal training" in php and have taught myself. As such, I am expecting that there are certain aspects of php programming that I am not aware of, primarily the security factor. This is a site I made for a game hosting company me and my friend are starting up. However, I wan't to know if the site has been well secured. Are there any companies that test this? Also, does anyone know of any sites or documents that list php vulnerabilities that have been exploited before so I can test them on this site?

The security features I have built in include but are not limited to:

All include files are outside of the web directory
Pages in the iPanel (the account manager) have a log system where any invalid attempt made to access a page logs the page, user ip, and the time.
Token systems are utilized for all forms
User verification utulizing both cookies and sessions
Almost every variable transmitted via url with the exception of those that are needed that control how the page is loaded are set as blank first thing during each page load to make sure that users haven't tampered with them (I still have to add this on to a few of the pages)
Include pages that are dynamically customized for the user each have the user verification system included
The passwords are encrypted using md5 encryption as well as one I made myself.
The message board is phpBB so I'm hoping that their security is good, which I believe it is.

Any help or feedback would be greatly appreciated. Thank you.

help_wanted

Do you check all users input before sending it to the DB? A good website to look at, that covers some good areas of security is:
http://phpsec.org/projects/guide/
This guide will give you examples of common coding mistakes, so I would recommend puting your website on a testing location. and point that tester site to a test copy of your db. Then try to destroy your own website using given the examples. I would not do any of the tests on your live site.

Also I would reccomend PHPClasses.org this is a repository of opensource php classes, many of them are for security: http://psbweb.mirrors.phpclasses.org/browse/class/78.html

Also I would suggest signing up for this newsletter:

http://www.securityspace.com
They send security alerts via email, it is free for the email. So you can check all of the newest security issues. Since you are using PHPBB, you need to check there site ofter for security updates, I personaly use there forum in a few sites, but as you know it is open source, this by default makes it some what of a risk as millions of people have the complete source code, so people find flaws in the code and exploit those flaws from time to time.

By the way I like the site, verry clean and easy to navigate!

Chris