Scratch

For general advice, you should see LS97's awesome guide instead. This topic is about technical stuff
Note: while most advice in this article can be used in most languages, the specific functions I list are for PHP.

1. Escaping data
1a. Escaping data in SQL
Whenever inserting data in MySQL, always be sure to escape it. Otherwise, a hacker can mess with it. For example, they could log in with the username ' OR username='jvvg' and then get ahold of any account. To prevent that, always escape user-submitted data that's put into MySQL.
If a number is expected (and inserting into an INT field), then I would recommend using the intval() function.
If a string is expected, I would recommend using the escape function for whatever database you are using. For MySQL, it is the mysql_real_escape_string() function, for MySQL Improved, it's mysqli_real_escape_string().

1b. Escaping data when outputted
Often, user-submitted data is outputted on the page. Instead of displaying it exactly as written, you should escape it. If you don't, someone could put something like <meta http-equiv="refresh" content="0; url=http://virussite.com" /> on the page. That would be kind of a problem. So, to avoid it, you should HTML-escape it.
I use a function like this:

function clearHTML($text, $linebreaks = false) {
    $text = htmlspecialchars($text);
    if ($linebreaks) {
        $text = preg_replace('/\R/u', "\n", $text);
    }
    return $text;
}

So, whenever displaying user-submitted data, use that function.

2. NEVER, EVER directly evaluate user-submitted code
I didn't think I'd need to put this, but somehow people still do. Putting any kind of user-submitted data of any kind in the eval() function is a REALLY BAD IDEA. No matter what precautions you take, a hacker can probably figure out a way to evaluate whatever they want and use that to get sensitive information or damage the site.
Instead of using eval('2 +' . $_POST['add']);, use 2 + $_POST['add'].

3. Be careful when storing data in files
While data can be stored with files, be careful. It is an easy means to hack a site. So, you should always check filenames for anything and everything that could compromise your security (e.g. "/", ".", etc.). Otherwise, you will have some rather big problems.

4. ENCRYPT SENSITIVE STUFF!!!
A while ago, Yahoo got hacked, and thousands of passwords were stolen because they were stored unencrypted. You probably don't want that to happen to your site. So, whenever storing a password, just take the simple step of hashing it somehow. The crypt() function is pretty good, just remember to specify a salt string in the code, or it won't be much help. The hash() function is also pretty good, and supports several algorithms. The md5() and sha1() functions are ok, but I have read they are not quite as secure, and I have had problems with them in the past.

5. Log IPs
Whenever someone does something on the site (e.g. submits a forum post, writes a comment), log the IP address. In the case that something bad is submitted, this will make it much easier to find out who did it and put a stop to it.

6. Flood protection
I know many people complain about the 60/180 second rule on Scratch. However, it is a very good shield against spam. In any site you make, some sort of flood protection should be implemented. It may be annoying to users, but will save you and the other moderators on your site a lot of time for removing spam and will prevent a massive amount of spam clogging up the server.

7. Save backups
You never know when something can go wrong with your site. No matter how "foolproof" your code seems or "guaranteed" your web host seems, stuff can go wrong. If anybody remembers, LS and I lost all of Mod Share due to web host problems, and if we didn't have a backup, we would have lost the entire website.
At least once a week, you should download a complete backup of your site code (if it has changed since the week before), all stored files (like project files and thumbnails for Mod Share), and any database files. Many web hosts support easy backups (i.e. one click to back up everything), and those are quite useful. If not, download all files off of FTP (or copy them to an external drive if your site is stored on your own server), and then go into phpMyAdmin (if you use MySQL) and export the database. Always store these backups in a safe place.

If you have anything else you want me to add, just ask.

Last edited by jvvg (2013-01-12 22:58:43)