how can i make my site and db secure?

glamorous-glare

how can i make my site made by php secure?and how can i make my database
secure?do i use certain programes to maintain security on my site and db or that's related to coding in php?

i'll be really very grateful if someone tells me
thanx in advance

DanielLiljeberg

Securing you server is one thing and securing your code is another. Both aspects should be considered. The server is mostly secured via programs and firewalls and such. However, the code should not be neglected. Especially with php/mySQL it's easy to send things in the url that with a bit of tinkering could be changed to somethingelse to do things you really didn't want it to do. I have always tried to be preemtive so I have never actually gotten to see it in action. But say you take a passed variable ad insert it directly into an SQL query.

www.yoursite.com/index.php?sort=ASC

Now say that someone could use that weakness to inject sqlcommands that they like.
Even worse, they could wipe you database if the user you are using to access the database has that privelige. For this reason I never use passed variables directly to create my queries. Instead I use them do decide wich sql query to run.

Another thing is that if your site is supposed to be protected by password and user access, you should chack that the password is valid on each and every page. Otherwise someone could skip the initial page that does the check and directly load a page that is actually included in the initial page. Thus curcimventing the security check. All these are basic things but they are easily overseen by people who might be in a hurry or who might not be aware of them. There are probably hundreds (hope I'm exagerating) of small things like this. And I'm sure I only know a fraction of them.

Norman_Graham

Hi Glamourous Glare

Damien isn't exaggerating about the number of aspects you have to consider, although I must say PHP is very good at providing ready-made tools for covering things like SQL-injection.

You might be interested in hardened PHP which is an open-source project designed to protect LAMP installations.

HTH

Norm

glamorous-glare

oh guys thanx a million for what you told me....i am really grateful to you daniel and norman
yet you really made me so reluctant to make a php-powered website.......it needs sooo much thinking before taking such a hard decision esp that i am brand new in that field.....

thus i dare say that there's no web site that's secure 100 % ,right?

DanielLiljeberg

glamorous-glare wrote:
oh guys thanx a million for what you told me....i am really grateful to you daniel and norman
yet you really made me so reluctant to make a php-powered website.......it needs sooo much thinking before taking such a hard decision esp that i am brand new in that field.....

thus i dare say that there's no web site that's secure 100 % ,right?

Well, to be crude, most likley no. Although many sites are VERY secure, you can probably find a weakness in most of them. The larger they are and the more developer sharing the work the more probable I would say. A one page website is pretty easy to get secure though 😉

But don't let this stop you from trying PHP. Same story goes for ASP and other scripting languages to. But it's a good thing be know about these things before. You will probably still miss a few holes, but you might be spared many of the beginner errors. Also, if I look back each and every site I have made has been better and better. And I still learn new things all the time. So my first site wasn't a securiy marvel either. However, that didn't stop me from taking the first step.

Norman_Graham

Hi Glamorous-Glare

First the bad news: there isn't any web-application language which comes with 100% built-in security. This is the internet we're talking about here. If you want total built-in security, make an offline application and distribute it on a copy-protected CD-ROM and make sure it has no internet interaction whatsoever.

Now the good news: PHP is in fact a lot better at catering for security concerns than some other web-application languages. Furthermore, PHP-based websites are, as a rule, hosted on Linux, which is considerably more secure than any Windows environment.

Summary: get into web-application programming and pay attention to security concerns from day 1 because they apply to Perl, PHP, ASP.NET, Java, JSP, C#, Python, VB, JavaScript and all variants thereof. Secondly, make this your motto: if it can go wrong, then it already has. Thirdly, however, don't get too hysterical. Unless you are working for a financial, political or military organisation, you can assume that most evil people are not particulary interested in your website.

Best o luck

Norm

DanielLiljeberg

Just note that most offline software can be hacked to 😉

glamorous-glare

thank you alot for your advice....
you're right daniel i've to try....even if something went wrong,sure i 'll learn something from that.
i'll also put your pieces of advice into consideration norman.
thanx again guys