PHP & SQL Security

I was looking for answer to a security related question, and I found this Whitepaper for web security measures a programmer must know.

PHP & SQL Security, Whitepaper Jan’2007

Advertisements

November 23, 2008 at 10:56 pm Leave a comment

A Dozen Programming Tips

I was thinking about what to write when my friend suggested about this topic. It does not mean that I am a good programmer. It only means that after so many years I just know how to manage a program when needed.

  1. Start with an easy to learn programming language, like Pascal. This will help you to learn programming rather than the programming language. After you learn programming, you can easily go to complex programming languages like C, C++, Java, etc.
  2. Use your time to learn the art of programming. Peter Norvig once said that we need at least 10 years to learn programming. He was right to a certain extent as more we learn programming, more we come to know about our ignorance.
  3. Make programming a fun exercise as to maintain the interest for such a long time.
  4. Learn to be lazy. It is not at all necessary to write each and every program from scratch. Maintain a library of your own and use the programs when you can. But, you must have a good library.
  5. My mom says that a person can be a good cook only if he had eaten good food. Same applies here, so go through as many programs as you can. Analyse them using scientific methods and classify them properly before adding it to your library.
  6. Get so involved in programming, that when some program is not running, you think of it as how to solve it. My experience says that most problems are solved in dreams. Make sure you wake up as soon as you find the solution. 😀
  7. Talk to other programmers and take help from them. Similarly, help other programmers when you can. This may result in learning new things that you never knew.
  8. Join a gang or a community of programmers where you discuss programming and criticize each others work.
  9. Work on projects with other programmers. Be the best programmer on some projects; be the worst on some others. When you’re the best, you get to test your abilities to lead a project, and to inspire others with your vision. When you’re the worst, you learn what the masters do, and you learn what they don’t like to do (because they make you do it for them).
  10. When you meet a good program try to understand it inside out. Experiment with it as much as you can. What happens when you make a change? Ask as many questions as you can and try to find the answers.
  11. Analyzing problems correctly helps to solve the problem correctly. But, good analysis is learnt only by practice. So, when you go somewhere try to see if you can develop a solution using programming.  Even if it is a small problem like your household budget, or your pocket money management.
  12. You should know at least a half a dozen programming languages. this makes you aware of different programming practices used in in different programming languages. But, keep in mind that all the programming languages support different programming features like class abstraction, functional abstraction,  Syntactic abstraction, declarative specifications, coroutines, parallelisms, etc. Or it may be based on frameworks like, .NET, MVC, etc.

Well, I will finish here. But there are many other things that need to be considered while writing a good program. But, I guess programmers already know it. Happy Programming.

References:

Teach Yourself Programming in Ten Years – Peter Norvig <http://norvig.com/21-days.html&gt;

Published: 2001, Last Accessed : August 25, 2008 at 11:39 a.m. IST

August 25, 2008 at 11:39 am Leave a comment

Tips for choosing the right Content Management System(CMS) for your Website

Thinking about adding a CMS to your website or thinking about implementing a CMS type solution to your website? Don’t know where to start, well have no fear, I am here to give you some tips on choosing the right CMS for your website A content management system, or CMS, is a web application designed to make it easy for non-technical users to add, edit and, well, manage content, articles, and blog posting. Using a CMS for your site means that you can easily update data on the site while maintaining the style look and feel( via skinning). I am going to specify which CMS you should use BASED on what you want to accomplish for your site:

(more…)

June 25, 2008 at 11:50 pm Leave a comment

Information security

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.The terms information security, computer security and information assurance are frequently used interchangeably. These fields are interrelated and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.Physical security, Personal Security, Organizational security. These layers protect the value of the information by ensuring Confidentiality, Integrity and Availability.

Governments, military, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. Should confidential information about a businesses customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement. For the individual, information security has a significant effect on Privacy, which is viewed very differently in different cultures.

The field of information security has grown and evolved significantly in recent years. As a career choice there are many ways of gaining entry into the field. It offers many areas for specialization including Information Systems Auditing, Business Continuity Planning and Digital Forensics Science, to name a few.

This article presents a general overview of information security and its core concepts.

(more…)

May 19, 2008 at 11:46 pm Leave a comment

Firewall

Definition

A firewall is a device or set of devices configured to permit, deny, encrypt, or proxy all computer traffic between different security domains based upon a set of rules or other criteria.

Function

A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules.

A firewall’s basic task is to regulate some of the flow of traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a “perimeter network” or Demilitarized zone (DMZ).

A firewall’s function within a network is similar to firewalls with fire doors in building construction. In the former case, it is used to prevent network intrusion to the private network. In the latter case, it is intended to contain and delay structural fire from spreading to adjacent structures.

Without proper configuration, a firewall can often become worthless. Standard security practices dictate a “default-deny” firewall ruleset, in which the only network connections which are allowed are the ones that have been explicitly allowed. Unfortunately, such a configuration requires detailed understanding of the network applications and endpoints required for the organization’s day-to-day operation. Many businesses lack such understanding, and therefore implement a “default-allow” ruleset, in which all traffic is allowed unless it has been specifically blocked. This configuration makes inadvertent network connections and system compromise much more likely.

(more…)

April 14, 2008 at 9:15 pm 1 comment

Google Hacking

Google hacking is a term that refers to the art of creating complex search engine queries in order to filter through large amounts of search results for information related to computer security. In its malicious format it can be used to detect websites that are vulnerable to numerous exploits vulnerabilities as well as locate private, sensitive information about others, such as credit card numbers, social security numbers, and passwords. This filtering is performed by using advanced Google operators. While Google was the original tool of the Google hackers, many of the tactics and operators can be used on other search engines, such as MSN Search and Yahoo.
The Google Hacking Database (GHDB) is a database of queries that identify sensitive data. Although Google blocks some of the better known Google hacking queries, nothing stops a hacker from crawling your site and launching the Google Hacking Database queries directly onto the crawled content.The GHDB is maintained by Johhny Long who is a “white hat” Hacker. He made google hacking public in his site: http://johnny.ihackstuff.com/ and he called it Google Hacking Database(GHDB) .There are more than 1500 queries in the GHDB. In Around 1995, it started as not so serious project about discovering network vulnerabilities through Google Search Engine. As Google crawlers crawl on almost every file it can access, many confidential information leak out sometimes. The list of what Long and his fellow Google hackers have been able to dig up is impressive: passwords, credit card numbers and unsecured Web interfaces to things like PBXs, routers and Web sites.


(more…)

April 6, 2008 at 1:42 am Leave a comment

PHP/SQL Security

Web Security: The Big Picture
Whether your site is the web presence for a large multinational, a gallery showing your product range and inviting potential customers to come into the shop, or a personal site exhibiting your holiday photos, web security matters. After the hard work put in to make your site look good and respond to your users, the last thing you want is for a malicious hacker to come along and break it somehow.

There are a number of problems in web security, and unfortunately not all of them have definite solutions, but here we’ll look at some of the problems that should be considered every time you set out to write a PHP script. These are the problems which, with well-designed code, can be eliminated entirely. Before looking in detail at the solutions, though, lets take a moment to define the problems themselves.

SQL Injection
In this attack, a user is able to execute SQL queries in your website’s database. This attack is usually performed by entering text into a form field which causes a subsequent SQL query, generated from the PHP form processing code, to execute part of the content of the form field as though it were SQL. The effects of this attack range from the harmless (simply using SELECT to pull another data set) to the devastating (DELETE, for instance). In more subtle attacks, data could be changed, or new data added.

Directory Traversal
This attack can occur anywhere user-supplied data (from a form field or uploaded filename, for example) is used in a filesystem operation. If a user specifies “../../../../../../etc/passwd” as form data, and your script appends that to a directory name to obtain user-specific files, this string could lead to the inclusion of the password file contents, instead of the intended file. More severe cases involve file operations such as moving and deleting, which allow an attacker to make arbitrary changes to your filesystem structure.

Authentication Issues
Authentication issues involve users gaining access to something they shouldn’t, but to which other users should. An example would be a user who was able to steal (or construct) a cookie allowing them to login to your site under an Administrator session, and therefore be able to change anything they liked.

Remote Scripts (XSS)
XSS, or Cross-Site Scripting (also sometimes referred to as CSS, but this can be confused with Cascading Style Sheets, something entirely different!) is the process of exploiting a security hole in one site to run arbitrary code on that site’s server. The code is usually included into a running PHP script from a remote location. This is a serious attack which could allow any code the attacker chooses to be run on the vulnerable server, with all of the permissions of the user hosting the script, including database and filesystem access.

Processing User Data – Form Input Verification & HTML Display

Validating Input And Stripping Tags
(more…)

April 5, 2008 at 9:47 pm Leave a comment

Older Posts


December 2017
M T W T F S S
« Nov    
 123
45678910
11121314151617
18192021222324
25262728293031

Recent Posts

Blog Stats

  • 1,370 hits