How can i make sure my PHP site can't be hacked?

Anwered 2010-03-07 04:42:19 by Frxstrem

There's always a risk of a site being hacked, but if you just make sure to not do common mistakes that may expose vulnerabilities, you should be fine.

By the way, you may want to read http://no2.php.net/manual/en/security.php

Anwered 2010-03-07 04:40:25 by Tim J

That is a loaded question, and requires very good programming practices.

1) Keep all of your software updated on your server (php to highest version, etc).
2) Make sure any input data is "cleaned". This protects you from "Injection" attacks, which are very common and done with bots. Cleaning means you make any characters like & and replace it with ;amp or the like, so nobody can hack your database or code. PHP has built in cleaning functions which can be found in the tutorials.
3) Anytime a password is used, load the page and go to View: Page source and make sure it's not showing for some reason, that's bad and happens way too often to keep me sane.
4) Don't use code like phpbb that's heavily used on the internet. When an exploit is found, bots are sent out to hack EVERYONE. I didn't care about one of my sites and it got hijacked and held for ransom by some apparent religious group. Hilarious but would be annoying if you actually cared.
5) If you have user accounts, make sure their passwords are at least 6 characters, and make sure your encrypting them before transport. Salt the password before encrypting it. Salting is adding a number/letter somewhere (usually before or after) to make it harder to decrypt. Using the user's ID from the database, or something non-changing is always good so that no user entering the same password would get the same hash.

I could really go on all day but I don't know how much info you want. If you have any specific questions on site security add me as stargunner555 on yahoo messenger. I'm not great with PHP but I am quite good at site security and can check your site for you.

Anwered 2010-03-07 04:45:55 by Arun Agrawal - Ebizindia

You can take several steps to make your PHP site resist hack attempts:

1.The most important step is to sanitize the input forms. Whenever you are allowing people to enter something in a form, they can enter all sorts of Javascript and other types of codes to attempt to break in your site. Always do a thorough validation of the code and check whether any tags like <javascript etc have been entered. You can also use STRIPSLASHES and STRIPTAGS functions.

2. Another way people try to get into your site is to pass unexpected and unwanted parameters. You can validate these parameters to kill all unwanted parameters and validate the required ones.

3. Always make sure the uploaded files (if you are allowing to upload images etc) are deleted after copying them over to other safe directories.

This should be good beginning for you.

Arun