For general advice, you should see LS97's awesome guide instead. This topic is about technical stuff
Note: while most advice in this article can be used in most languages, the specific functions I list are for PHP.
1. Escaping data
1a. Escaping data in SQL
Whenever inserting data in MySQL, always be sure to escape it. Otherwise, a hacker can mess with it. For example, they could log in with the username ' OR username='jvvg' and then get ahold of any account. To prevent that, always escape user-submitted data that's put into MySQL.
If a number is expected (and inserting into an INT field), then I would recommend using the intval() function.
If a string is expected, I would recommend using the escape function for whatever database you are using. For MySQL, it is the mysql_real_escape_string() function, for MySQL Improved, it's mysqli_real_escape_string().
1b. Escaping data when outputted
Often, user-submitted data is outputted on the page. Instead of displaying it exactly as written, you should escape it. If you don't, someone could put something like <meta http-equiv="refresh" content="0; url=http://virussite.com" /> on the page. That would be kind of a problem. So, to avoid it, you should HTML-escape it.
I use a function like this:
function clearHTML($text, $linebreaks = false) { $text = htmlspecialchars($text); if ($linebreaks) { $text = preg_replace('/\R/u', "\n", $text); } return $text; }
So, whenever displaying user-submitted data, use that function.
2. NEVER, EVER directly evaluate user-submitted code
I didn't think I'd need to put this, but somehow people still do. Putting any kind of user-submitted data of any kind in the eval() function is a REALLY BAD IDEA. No matter what precautions you take, a hacker can probably figure out a way to evaluate whatever they want and use that to get sensitive information or damage the site.
Instead of using eval('2 +' . $_POST['add']);, use 2 + $_POST['add'].
3. Be careful when storing data in files
While data can be stored with files, be careful. It is an easy means to hack a site. So, you should always check filenames for anything and everything that could compromise your security (e.g. "/", ".", etc.). Otherwise, you will have some rather big problems.
4. ENCRYPT SENSITIVE STUFF!!!
A while ago, Yahoo got hacked, and thousands of passwords were stolen because they were stored unencrypted. You probably don't want that to happen to your site. So, whenever storing a password, just take the simple step of hashing it somehow. The crypt() function is pretty good, just remember to specify a salt string in the code, or it won't be much help. The hash() function is also pretty good, and supports several algorithms. The md5() and sha1() functions are ok, but I have read they are not quite as secure, and I have had problems with them in the past.
5. Log IPs
Whenever someone does something on the site (e.g. submits a forum post, writes a comment), log the IP address. In the case that something bad is submitted, this will make it much easier to find out who did it and put a stop to it.
6. Flood protection
I know many people complain about the 60/180 second rule on Scratch. However, it is a very good shield against spam. In any site you make, some sort of flood protection should be implemented. It may be annoying to users, but will save you and the other moderators on your site a lot of time for removing spam and will prevent a massive amount of spam clogging up the server.
7. Save backups
You never know when something can go wrong with your site. No matter how "foolproof" your code seems or "guaranteed" your web host seems, stuff can go wrong. If anybody remembers, LS and I lost all of Mod Share due to web host problems, and if we didn't have a backup, we would have lost the entire website.
At least once a week, you should download a complete backup of your site code (if it has changed since the week before), all stored files (like project files and thumbnails for Mod Share), and any database files. Many web hosts support easy backups (i.e. one click to back up everything), and those are quite useful. If not, download all files off of FTP (or copy them to an external drive if your site is stored on your own server), and then go into phpMyAdmin (if you use MySQL) and export the database. Always store these backups in a safe place.
If you have anything else you want me to add, just ask.
Last edited by jvvg (2013-01-12 22:58:43)
Offline
Great guide! But when you talk about logging IPs, how would you detect proxies used to... evade bans or something?
Last edited by Molybdenum (2012-11-04 10:24:46)
Offline
Molybdenum wrote:
Great guide! But when you talk about logging IPs, how would you detect proxies used to... evade bans or something?
No system is perfect. The stuff I described up there is just stuff necessary to prevent any big attacks.
Offline
SJRCS_011 wrote:
Also, you could use htmlspecialcharacters() for escaping output
I didn't know about that one.
I just wrote my own so I could bundle it with the censoring words function.
Offline
jvvg wrote:
Code:
function clearHTML($text, $linebreaks = false) …
htmlspecialchars() (as SJRCS_011 said) and:
preg_replace('/\R/u', "\n", $string);
Last edited by nXIII (2012-11-04 12:42:38)
Offline
nXIII wrote:
jvvg wrote:
Code:
function clearHTML($text, $linebreaks = false) …htmlspecialchars() (as SJRCS_011 said) and:
Code:
preg_replace('/\R/u', "\n", $string);
Ok, I added that.
Offline
also, for storing data in files, if it's sensitive data, make sure that no one can access it without authorization through .htaccess and/or the idea of a dispatcher
Offline
SJRCS_011 wrote:
also, for storing data in files, if it's sensitive data, make sure that no one can access it without authorization through .htaccess and/or the idea of a dispatcher
And still blocking all files but the dispatcher, via htaccess
Offline
Awesome! Though I do have one thing to note: hashes (e.g. md5, sha256) aren't encryption. Encryption is 2 way--you have a master password that unlocks the data, rather than using the data as it's own password.
Offline
LS97 wrote:
SJRCS_011 wrote:
also, for storing data in files, if it's sensitive data, make sure that no one can access it without authorization through .htaccess and/or the idea of a dispatcher
And still blocking all files but the dispatcher, via htaccess
You don't need to do that. Just redirect all requests to your dispatcher:
RewriteEngine on RewriteRule ^.*$ dispatcher.php?url=$0&%{QUERY_STRING} [L]
Offline
bobbybee wrote:
Awesome! Though I do have one thing to note: hashes (e.g. md5, sha256) aren't encryption. Encryption is 2 way--you have a master password that unlocks the data, rather than using the data as it's own password.
For passwords, you really should hash them, because if someone finds out the master password, then you're no better off than not encrypting them at all.
Offline
Thanks for this guide - it looks like you've got some good tips laid out here! I've added this topic to the Index of important and helpful topics
Offline
Paddle, you need to capitalize the "i" in ITopic.
Offline
Added 1a to my websites.
Offline
SJRCS_011 wrote:
Hardmath123 wrote:
Paddle, you need to capitalize the "i" in ITopic.
Yeah, we're not making apple products
Coolstuff had a quote like that on the original block library.
coolstuff wrote:
Chrischb wrote:
That's a great guide!
*resolves to bump until it gets iTopic'd*It's not iTopic, it's ITopic - we're not making Apple products here
And we'll ITopic this if it gets enough blocks in here - so keep things coming!
This is a very good guide. I'll make sure to remember it for Coders' Shed.
Offline
scimonster wrote:
SJRCS_011 wrote:
Hardmath123 wrote:
Paddle, you need to capitalize the "i" in ITopic.
Yeah, we're not making apple products
Coolstuff had a quote like that on the original block library.
coolstuff wrote:
Chrischb wrote:
That's a great guide!
*resolves to bump until it gets iTopic'd*It's not iTopic, it's ITopic - we're not making Apple products here
And we'll ITopic this if it gets enough blocks in here - so keep things coming!
This is a very good guide. I'll make sure to remember it for Coders' Shed.
BTW, I have a question on Codersshed.
And so you are saying, that if you don't use these measures, someone can look through the PHP and find the passwords?
Offline
mythbusteranimator wrote:
scimonster wrote:
SJRCS_011 wrote:
Hardmath123 wrote:
Paddle, you need to capitalize the "i" in ITopic.
Yeah, we're not making apple products
Coolstuff had a quote like that on the original block library.
coolstuff wrote:
It's not iTopic, it's ITopic - we're not making Apple products here
And we'll ITopic this if it gets enough blocks in here - so keep things coming!
This is a very good guide. I'll make sure to remember it for Coders' Shed.BTW, I have a question on Codersshed.
And so you are saying, that if you don't use these measures, someone can look through the PHP and find the passwords?
Yeah, I am. That's why it's so important.
Offline