my site uses php and sql..need help on securing my website?

Report · Jun 29, 2012

i mean i want to know where i can learn all types of security issues and how to prevent them ??...like sql injection,xss etc. thank you in advance...:)....

Report · Jun 30, 2012

If you are using the php/mysql code that Dreamweaver uses, you are good to go with Dreamweaver as it santizes the input and helps prevent SQL injection. **NOTE** This is true for Dreamweaver 8.02 and above. Older version of Dreamweaver did not prevent sql injection well. However, if you modify the dreamweaver code, then you have to make sure you are properly sanitizing the input. The code at the top of each page in regards to magic quotes is the santizer.

In regards to XSS, you have to sanitize the output. I usually do this: <?php echo htmlentities($row_Recordset1['column_name],ENT_QUOTES);?> Please see http://php.net/manual/en/function.htmlentities.php so that you get a better understanding of this PHP function.

Some other things you can do is if running on apache look into mod_security to help with sql injection attacks. You can also look at htmlpurifier http://htmlpurifier.org/ to further help with XSS attacks.

Report · Jul 09, 2012

im under the impression that,

you can buy an ssl security certificate and apply it to your site, or a directory or specific page on your site and it will automatically protect your page plus let the user know, through the url, that he is browsing an ssl secured certified page

i recommend you look for more info on SSL my 2 cents

Report · Jul 09, 2012

An SSL certificate only helps protect the data that is transmitted between the browser and the server by encrypting that communication. However, an SSL certificate does NOT protect against SQL injection or XSS. This is update to the person programming the web pages to do. The person programming needs to sanitize the input coming from users. Dreamweaver santizes input to help prevent SQL injection. However, if you allow a user to intput say into a comments section, it your job as a programmer to sanitize what was inputted so that they don't put in javascript that can cause havoc for other users. TO sanitize user input I usually add change what dreamweaver puts in as <?php echo $row_Recordset1['column_name'];?> and i change it to <?php echo htmlentities($row_Recordset1['column_name'],ENT_QUOTES);?>. What this does it is replaced characters with HTML characters. This way the browser only spits out what it is supposed to. For example instead of spitting out a quote, it will change the quote to a ' which the browser will convert to a single quote. This way if someone puts in evil javascript, it won't exectute because the single quote is missing.

Report · Jul 09, 2012

thats incredibly good information, thanks a lot stratton!