What are the top 10 common security risk of a new site? What are the countermeasures?

[magsasaka00193]

What are they, and how can I avoid or counter those things? Can you give this newbie some tips on how to make sure that my site is safe? For example, how can I protect my MySQL database?

 

[MaestroFX1]

Re: What are the top 10 common security risk of a new site? What are the countermeasu

First that comes to my mind is SQL injection attacks.
These can allow hackers to execute arbitrary SQL commands on your database through your Web site.

To avoid this type of attacks, every piece of data supplied by a user on a Web form( like in your case chat boxes )must be sanitized/validated so that they do not contain information that is not expected.

You can use php scripts to sanitize, so that data that gets into database is free from attacking statements.

 

[magsasaka00193]

Re: What are the top 10 common security risk of a new site? What are the countermeasu

That will be number 1. Basing from what you've said, me thinks that I need to learn how they do that for me to produce the security that I need if I'm starting from scratch.

 

[MaestroFX1]

Re: What are the top 10 common security risk of a new site? What are the countermeasu

Firm grip on concepts of php and mysql !

Remove characters like " = etc. Google that.

#2 Restrict access to administrative folders.

 

[magsasaka00193]

Re: What are the top 10 common security risk of a new site? What are the countermeasu

Got it. I'll focus with that first. I'm going to wait for additional information others can provide. And I'll Google for more information about my topic.

 

[misson]

Re: What are the top 10 common security risk of a new site? What are the countermeasu

A few links to get started:

• 2010 CWE/SANS Top 25 Most Dangerous Software Errors
• PHP Freaks Security Tutorial
• Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes
• Information disclosure in error messages.

 

[cybrax]

Re: What are the top 10 common security risk of a new site? What are the countermeasu

Forgetting to disable directory browsing is a real classic, it's amazing sometimes what people leave in plain text files.

SQL injection is still rife, largely because every PHP tutorial you see about passing data just uses the bare bones basic script with no mention of validation using stripslashes or better still preg_replace. So newbies get into bad coding habits from the beginning.

 

[misson]

Re: What are the top 10 common security risk of a new site? What are the countermeasu

stripslashes or better still preg_replace

Did you mean to include addslashes?

Rolling your own sanitization function is bad practice, as you can easily forget an edge case or simply not be aware of a vulnerability. Even with DB provided quoting functions, SQL injection can still be a problem (look up "truncation attacks" and "multibyte vulnerabilities"). These days, everyone should be using prepared statements.

 

[descalzo]

Re: What are the top 10 common security risk of a new site? What are the countermeasu

If you use a CMS, do not use 'admin' for the admin account and use a good password. ( at least 2 each of upper, lower, digit, punctuation )

Do not use hacked authoring/FTP tools. Some of those add stuff to your code.

Don't let your little brother near your computer.

Don't trust anything a user inputs. Sanitize anything going into a database and sanitize html entities that you might display on your site.

Use some sort of captcha to prevent spambots.

 

[carl6969]

Re: What are the top 10 common security risk of a new site? What are the countermeasu

If you use a CMS, do not use 'admin' for the admin account and use a good password. ( at least 2 each of upper, lower, digit, punctuation )

I would add change your password frequently to that very good advice.

 

[magsasaka00193]

Re: What are the top 10 common security risk of a new site? What are the countermeasu

Wow. I didn't imagine that there will be a lot to learn. All I was able to do was just secure my computer from my little bro! Haha. So securing my db and files will be priority... Hmm... Thanks dudes. I'm now currently doing some stuff about the SQL injections...