Make your site hack proof

ivatanako · Nov 7, 2007

Im building this website and trying to learn someways to prevent exploits. I already flitered every html code that is used on comment boxes and added captcha's to avoid automated spamming. Now, what other things should I consider before publishing my website to avoid hackers from exploiting my site?

:lockd::naughty:

Slothie · Nov 7, 2007

What about sanitizing other input types besides textboxes? I could easily craft a form that would change certain input types to another

arsonistx · Nov 7, 2007

I don't think it's possible to make your website 100% hack proof. There will always be someone out there that knows how to get by it.

Flashgear · Nov 7, 2007

As my co-admin said, there isn't a way that you can make a site hack proof, as anything can be hacked.

DarkDragonLord · Nov 7, 2007

Hmm

if your website is in PHP, would be good to put a @ before the calls, this way will not appear your lovely LOGIN when gives error.
(something like "root/YOURLOGIN/public_html/ETC")

this way noone will know your login so easily

BlackIrish · Nov 7, 2007

It depends how much services you are offering.

The more PHP scripts, the more open vulnerabilities are (like code injections...)

Sohail · Nov 9, 2007

Well i know that encrypting passwords would be a good idea.

Slothie · Nov 9, 2007

You *can* make it hackproof. In doing so you'd also make it user proof as well

Livewire · Nov 9, 2007

Slothie said:
You *can* make it hackproof. In doing so you'd also make it user proof as well

QFT.

The hackproof computer has no keyboard, no mouse, no monitor, no ram, no hard drive, no motherboard, no case, no psu, no internet connection, and certainly no user

Ever see Mission Impossible? I know its a movie, but it proves a point - anything is possible. Especially if theres a user involved - the weak link in ANY system is the user, be it the client who unintentionally breaks it or someone working on an isolated terminal in a nearly-hacker-proof room with a touch-sensitive floor sensitive enough to register a drop of water

holeepassion · Nov 9, 2007

DarkDragonLord said:
Hmm

if your website is in PHP, would be good to put a @ before the calls, this way will not appear your lovely LOGIN when gives error.
(something like "root/YOURLOGIN/public_html/ETC")

this way noone will know your login so easily

I am not sure I understand this ...

show us with more concrete example with @

Livewire · Nov 9, 2007

holeepassion said:
I am not sure I understand this ...

show us with more concrete example with @

Short answer:

mail(arguments);

If I'm not mistaken (don't have my local server up to test this), if the mail server/function was blocked, you'd get an error (see the Free Hosting section for a plethora of similar issues, such as FATAL ERROR: Use of Eval is forbidden).

HOWEVER: The @ sign is used in php to supress/ignore errors.

AS SUCH: If the previous code chunk were to throw an error, then placing an @ sign in front of it would ignore that error: @mail(arguments);.

This is how an error such as "FATAL ERROR: phpinfo() is disabled for security reasons in blahblahblah" can be suppressed without commenting the line out

Simply drop an @ before phpinfo so you have @phpinfo(). Voila; error is suppressed.

The bad news is the error is supressed - you need to do some error checking to verify that an error DIDN'T occur.

Lets say I have a user defined function called ScriptA (I'm not good with fake names obviously). ScriptA contains the use of mail, which can throw an error that will stop the page from loading. To counter this, ScriptA contains the line $mailaccepted=@mail($to,$subject,$message);.

Now, from the php faq:

Returns TRUE if the mail was successfully accepted for delivery, FALSE otherwise.

For arguments sake, assume mail normally stops the scripts from processing if it fails (mail might not in actuality, but others do).

Now, we supressed the error message it kicks back with the @ sign. BUT, we still don't know if it actually worked or not.

Thats why we sent its output to $mailaccepted - mail returns true if it worked, false if something broke.

From there its just a simple if-then-else.

Thats probably more info than required, but it's also good to know

I use the @ sign any time I use a function that may cause an error that'd stop the page from loading. Some sites, like x10, block or restrict some functions, and it would absolutely SUCK if a script that's supposed to be plug-and-play didn't work properly because of it. While the script might not actually _work_ with that line not doing what its supposed to (such as mail not sending mail because its restricted), at least you can have it output a better formatted error than one that stops the rest of the page from loading and essentially goes "I'm broke fix me"

Slothie · Nov 9, 2007

Or you could set the error reporting level to NONE

malfist · Nov 9, 2007

Guard you SQL against injections by using mysql_real_escape_string(), convert html tags to unicode so they don't do anything with htmlspecialchars(). Prevent people from flooding message boards with a trim() then check for empty fields. Only have a user access the database with the smallest amount of privileges possible. Initialize variables to protect against code injections. Limit the max input in forms to prevent scripting from them.

There's millions of things you can do to secure it, but to make it hack proof, you'd need to take it down and delete it. That's the only way.

Make your site hack proof

ivatanako

New Member

Slothie

New Member

arsonistx

New Member

Flashgear

New Member

DarkDragonLord

New Member

BlackIrish

New Member

Sohail

Active Member

Slothie

New Member

Livewire

Abuse Compliance Officer

holeepassion

New Member

Livewire

Abuse Compliance Officer

Slothie

New Member

malfist

New Member

Free Web Hosting

Our Community

Legal