Forum Moderators: open
I'm almost done on my new site that's been in production over 6 months.
As final steps I'm cleaning my code, CSS etc.
I'd like to be secure that my site won't be hacked once <b>online</b>.
I've browsed the net, but saw many conflicting reports.
Maybe it would be a fine idea to aid many of us in some steps we should take to bring security to an upper level?
For example, I know what <b>SQL injection</b> can do, but I don't know how it can be performed?
Is it only along the form input fields or can my DB be injected by other means?
<b>How can I protect my input fields?</b>
For example, I added "mysql_real_escape_string" to any comment that's being stored to DB.
But now I read its not enough, there is also some sort of <b>"LIKE"</b> attack?
Hmm.. what if I trim the string to ONLY alphanumeric characters before storing such a user comment into DB? Would that be total security?
For passwords I use hash and salt and keep the login details page in the folder above my root on FTP, is this secure?
Another point, can JS libraries be used as intrusion elements? So I read somewhere as well.
I for example have jquery, prototype and swfobject JS embedded to my pages.
Let's say I do a automated backup of my entire DB every 2 hours, is this a good approach?
Any other tips n tricks to use in order to boost a site security would be good. I believe many users would appreciate this collective info : D
ensure the 'username' that you are connecting to the database from the webpage has the minimum permissions required. eg. if you are only inserting data into tables then only give the user INSERT permissions, ideally only interact with the database with stored procedures (available in mySQL 5) give permission to execute the stored procedures and nothing else.
2. Clean Form Entered Data
as you know, never enter data directly from a form into a database without cleaning it. personally i write specific functions to check that the input is exactly as expected.
eg. if a form field should only be 24 characters long maximum and should have only alphanumeric characters then write a function to check specifically for that. basically allow only characters that you expect and lengths that you expect.
when i say clean, that is perhaps a misnomer, you should not attempt to 'clean' input, if it fails the test then reject it completely, don't try and replace characters.
you also need to look at quote marks of course.
if you are overwriting the previous backup, then if you do not notice an injection/hack for over two hours then your backup will be corrupted!
Ofcourse, one should always watch out for that.
I'm planning to construct a method that will pull the data with the leading number, so I could have backups at least up to 20 eg for two days in my case.
Is exporting from phpmyadmin enough?
Another question, should I also back up my files from FTP regularly?
Hope not so often, as they are around 4 GB : P
