Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How do i stop hackers?

T

timmillwood

macrumors 6502a
Original poster
Apr 7, 2006
955
1
I am creating a PHP and MySQL driven CD review library for a client, it will get around 100,000 visits per month and the current PHP NUKE site has been successfully hacked 2-3 times in the last year.

how to i prevent my site getting hacked?

i dont know how to hack sites, so don't know how to stop it!
 
Do you control the server you are hosting on? If you do not have access, you can only attempt to stop them from entering through your website. Unfortunately, another major point of entry is through your server security, which could be out of your control unless you have your own dedicated server.
 
Most of the hacks to PHP NUKE were just pages being delete, rude messages, etc

But i hate PHP NUKE thats why i want to do my own. The site is hosted on part of a dedicated server by 1&1 which a friend owns.

he said watch our for SQL hacks when making your own site, but i dont know how!
 
Sorry but this post is the reason why people who dont know web dev shouldnt be touching web dev in the first place!

If your site is supposed to generate money, ask a pro to do it.

That being said, your problem is probably SQL injections. Happens all the time with newbies. It means that some of your SQL queries must be taking params directly from the interface. So the hacker just has to complete the query in the form and start a new one asking for admin rights.

Other problem that I see a lot if people building an AJAX query directly in the page!!! :eek:

Finally, you are using the worst web dev langage ever: PHP. PHP is so permissive, unstructured and badly organized that it encourage you to screw things up in the long run...

Yes, I am kinda rude, but you have to realise that if you are building a site with 100k/hit/month, it might be a good idea to get help from a pro!
 
timmillwood said:
how to i prevent my site getting hacked?
Click to expand...

there is really no way of preventing a "real" hacker who wants to go into your site. however, there are ways to stall them a little bit. some suggestions have already been made by other posters.
 
If you class a pro as someone who does web development professionally (ie as their profession) then that it me!

I understand that if i has SELECT * FROM table WHERE id = $_POST['search_term'] anyone could put in some SQL to hack in.

I have a degree in web development and everything, but i just need some extra help / guidance so i don't make a horrid mistake

SO! dont be so rude and patronising

Mantat said:
Sorry but this post is the reason why people who dont know web dev shouldnt be touching web dev in the first place!

If your site is supposed to generate money, ask a pro to do it.

That being said, your problem is probably SQL injections. Happens all the time with newbies. It means that some of your SQL queries must be taking params directly from the interface. So the hacker just has to complete the query in the form and start a new one asking for admin rights.

Other problem that I see a lot if people building an AJAX query directly in the page!!! :eek:

Finally, you are using the worst web dev langage ever: PHP. PHP is so permissive, unstructured and badly organized that it encourage you to screw things up in the long run...

Yes, I am kinda rude, but you have to realise that if you are building a site with 100k/hit/month, it might be a good idea to get help from a pro!
Click to expand...
 
Unfortunatly, getting paid to do something doesnt mean that you are a pro, at least in my eyes... 14y.o. kids are getting paid to build web sites...

Anyways, my recommandation is to drop PHP and move to a real webapp framework such as Python or Ruby on rails or (!) Java. These langage provide much stronger security across the board and will make you a better developper. I am not a snob when I say that. I have worked with enough PHP projects to know that the emount of energy required to make PHP portable/reusable/readable is generaly greater than what it takes to build the whole app with other langage!

Anyways, if you want to increase security of your website, make sure the logs on the host dont include sensitive data, nothing is working in verbose mode, all your actions that change something are inside POST and not GET requests, always apply official patches ASAP, private files are referenced from the DB to a link OUTSIDE the public directory of the app... The usual stuff. I dont know of any specific PHP NUKE vulnerability but if you cover the bases you will be safe from 90% of the hacker. The 10% missing are those who use tricks who are outside of your control (ex: direct access to the server).

A good trick againts website vandalism is to use SVN with a tag of the lattest release of your app and if someone deface it, just update the production app to the latest version of the tag.

good luck.
 
Mantat said:
Sorry but this post is the reason why people who dont know web dev shouldnt be touching web dev in the first place!

If your site is supposed to generate money, ask a pro to do it.

That being said, your problem is probably SQL injections. Happens all the time with newbies. It means that some of your SQL queries must be taking params directly from the interface. So the hacker just has to complete the query in the form and start a new one asking for admin rights.

Other problem that I see a lot if people building an AJAX query directly in the page!!! :eek:

Finally, you are using the worst web dev langage ever: PHP. PHP is so permissive, unstructured and badly organized that it encourage you to screw things up in the long run...

Yes, I am kinda rude, but you have to realise that if you are building a site with 100k/hit/month, it might be a good idea to get help from a pro!
Click to expand...

I disagree totally. The security of your site really depends on what you're doing with it. If you have a totally locked down site running current version of Apache on current versions of BSD or Linux serving on static HTML content, then there really are no security concerns. It doesn't matter if you're serving 1 page a day or 1,000,000.

Once you start opening up your site to user content, that's when things start to get a little more complex.

The basic rule of thumb is this: don't trust anything that a user submits on your site.

Let me repeat: Don't trust a single thing a user submits on your site, even if its just one character, even if its just a URL they're typing in the address bar, even if its selecting a menu item from a drop down menu.

The two main classes of attacks these days that I am aware of are SQL injection and XSS. Read up on these, and then anytime you do accept any kind of POST or GET data, think about how you're going to make sure that nobody even has a chance to get their dirty data into your site.

PHP is fine for many types of dynamic sites. I wouldn't write an online banking app in PHP, for a Friendster or MySpace clone it would work perfectly. It is a language ripe for abuse though, so make sure you actually learn it before you go stumbling through your development with it.
 
Mantat said:
Unfortunatly, getting paid to do something doesnt mean that you are a pro, at least in my eyes... 14y.o. kids are getting paid to build web sites...

Anyways, my recommandation is to drop PHP and move to a real webapp framework such as Python or Ruby on rails or (!) Java. These langage provide much stronger security across the board and will make you a better developper. I am not a snob when I say that. I have worked with enough PHP projects to know that the emount of energy required to make PHP portable/reusable/readable is generaly greater than what it takes to build the whole app with other langage!
Click to expand...

i didnt say anything about just "getting paid to do somthing" this is my full-time profession and will be for the rest of my life

I think most websites use ASP or PHP there are then quite a few that use JSP and then only few use the rest. There must be a reason for this.

So to conclude...
There is nothing you can do to stop hackers but there are a lot of things to keep your eye on and be careful about. Is that right?
 
timmillwood said:
I think most websites use ASP or PHP there are then quite a few that use JSP and then only few use the rest. There must be a reason for this.
Click to expand...

hey, a majority of people still use windows...


php is popular, imo, because it integrates html and mysql well, and it's fairly straightforward to hack out a site. perhaps more structured approaches, such as those used regularly by coders of java and RoR, scare away those who don't know how to properly structure a project.

so yes, there is a reason php is more popular, but that doesn't mean it's the better technology (for anything other than sloppiness, that is).
 
timmillwood said:
i didnt say anything about just "getting paid to do somthing" this is my full-time profession and will be for the rest of my life

I think most websites use ASP or PHP there are then quite a few that use JSP and then only few use the rest. There must be a reason for this.

So to conclude...
There is nothing you can do to stop hackers but there are a lot of things to keep your eye on and be careful about. Is that right?
Click to expand...

There's no such thing as 100% security, unless you unplug the server and bury it in a concrete bunker 100 feet under the ground. Even then its still not 100% secure.

But you can do plenty to stop hackers from taking the easy path in. You can't personally inspect every line of source code running on your server (OS, web server, PHP module, & your php code), but these packages are relatively secure if you keep them up to date.

A lot of people use PHP because its easy and forgiving. These are bad reasons to choose it, but you're a bad developer if these are your selection criteria anyway.

I like PHP because its fast to write..I can get a lot more done in PHP in the same amount of time than I could with Java.
 
Just give a try to Rails, in 5mins you can have a basic app working thanks to the scaffolding. And with all the user created scaffold generator, the application might even look good!

To the OP, if you want to do web dev for the rest of your life, please, help yourself and learn RoR. It force you to structure your code/site/idea, which PHP totaly ignore. Yes its harder, for the first 2-3 weeks then it gets much easier and faster.

Of course there are more webapp built with PHP and ASP, but as someone else pointed out so is Windows. The popularity of these langages is mostly caused by the fact that they are easy to setup and allow you to code right away, without any prior design work (data model wise).

Yes I am a PHP basher because I worked with it and know there are better alternatives. When I am telling you to look at other alternatives I do so in a friendly (but I admit, brutal) way because if you dont learn where the technology is heading, you will be screwed.

Just go on http://www.rubyonrails.com/ and look at the moto. Which other framework is designed for programmer happiness? And the mac is the best dev platform for it, so enjoy!
 
Mantat said:
Just give a try to Rails, in 5mins you can have a basic app working thanks to the scaffolding. And with all the user created scaffold generator, the application might even look good!

To the OP, if you want to do web dev for the rest of your life, please, help yourself and learn RoR. It force you to structure your code/site/idea, which PHP totaly ignore. Yes its harder, for the first 2-3 weeks then it gets much easier and faster.

Of course there are more webapp built with PHP and ASP, but as someone else pointed out so is Windows. The popularity of these langages is mostly caused by the fact that they are easy to setup and allow you to code right away, without any prior design work (data model wise).

Yes I am a PHP basher because I worked with it and know there are better alternatives. When I am telling you to look at other alternatives I do so in a friendly (but I admit, brutal) way because if you dont learn where the technology is heading, you will be screwed.

Just go on http://www.rubyonrails.com/ and look at the moto. Which other framework is designed for programmer happiness? And the mac is the best dev platform for it, so enjoy!
Click to expand...
I'm not against you pushing RoR like that (I work with Rails myself), but don't JUST give him that option.

There's Django for Python, there's CakePHP and Symfony for PHP, there's Struts for Java...

I agree with suggesting a framework. I don't agree with forcing him to learn a specific language.
 
Firanide said:
I'm not against you pushing RoR like that (I work with Rails myself), but don't JUST give him that option.

There's Django for Python, there's CakePHP and Symfony for PHP, there's Struts for Java...

I agree with suggesting a framework. I don't agree with forcing him to learn a specific language.
Click to expand...

Don't leave out ASP.net 2.0 (and 3 rolling out)! :D
 
Firanide said:
I'm not against you pushing RoR like that (I work with Rails myself), but don't JUST give him that option.

There's Django for Python, there's CakePHP and Symfony for PHP, there's Struts for Java...

I agree with suggesting a framework. I don't agree with forcing him to learn a specific language.
Click to expand...

Look at my previous posts, I talked about Python and Java. Its just that out of the 3, RoR is, in my eyes, the best! (I would never recomend PHP tho)

Btw, Struts isnt going in the right dirrection. Its better to go with Spring. I worked with Struts for 2 years so I know what I am talking about...
 
zimv20 said:
could you expound on that a bit? just curious about your viewpoint.
Click to expand...

First of all, I havent looked at Strut in a while, so things might have changed. BUT my point is that I really dont like the way you have to configure everything. I like RoR logical default, it saves so much time! By using the power of convention over configuration you gain:

- speed
- readability: anyone from anywhere who knows RoR will understand your app and naming conventions
- RoR is going the resources way at full speed. Last time I checked, Struts wasnt. This is an advantage that you can only see when you have tried it.
- Maven might be good, but GEMs and Capistrano are much better
- RoR enforce MCV while Struts doesnt.

There is also the fact that every single file in a RoR project use the same language. No need to know XSLT, XML, etc..

Finaly, Ruby is more fun to use than Java. Dont take me wrong, I am currently working with ColdFusion and I hate it! Java is superior to a lot of language in both speed, functionnality and fun factor. But Ruby scales even higher IMHO. Almost everything you can do in Ruby you can do in Java, but in Ruby it takes less than half the lines of code and it reads better. Btw, Objective C has to be the worst language ever on a readability point of view!

I have taken a quick look at Struts 2.0.6 and it seems like they have corrected some of their flaws, still, I hate XML configuration files!

Edit: typos
 
Mantat said:
I really dont like the way you have to configure everything.
Click to expand...

when you say struts is going in the wrong direction, does that mean there are more languages included and more configuration to be done? or something else?

i'm really just curious here, as i'm looking to re-tool (i haven't developed professionally in a few years now, and i'll likely be looking for such a job this summer) and i'm trying to get a feel for where the industry is. my next project is to re-do one of my websites in RoR, to see how i like that.

and to be honest, i don't feel like going back to being a java developer...
 
redAPPLE said:
so out of curiosity, what is a better web dev language [...]? or what is the best?
Click to expand...

for starters, the other two P's of LAMP are python and perl. "better" and "best" are difficult to qualify, but java and ruby will likely win out in a number of categories.
 
To throw another option into the mix:

I'm playing around with the Google Web Toolkit (GWT) and finding it to be a great joy. Granted, I'm more of a Java/Swing fan, so of course it appeals to me. As you have a dedicated server, it could work for you, too.

I'm also starting to like RoR too... it just doesn't appeal to me as much as a software developer, but it does seem to be pretty efficient at getting a decent site up and running.
 
I dont have any (real) authority in the field, but my guess is that we are going to move more and more toward languages that reduce the amount of code lines.

Reducing line of code is critical for various reason:
- less time to type
- less time to read
- less chances of typos
- easier to correct
- somewhat easier to understand

even tho script and interpreted languages are slower than compiled ones, it is not relevant for many reasons:
- super high traffic sites are rare
- you can always use caching (at various levels) or turn to native code for specific tasks.

Basicaly, you can say that they reduce time of development at the price of performance. Now which cost more: a full team of developper or a brand new server? If your framework/platform scales well in a multi server environment, its not even a question! Just buy a few more servers and you will be set. You then use the time saved to built the app to do some specific performance optimisation and that is it! Time is expensive, computers arent!

That is why I think we (the devs) are better to move toward slower performance language that allow more code reuse (meta programming ftw!), less code and most important of all: more fun for the developper!!!

Come one, how fun is that compared to the cryptic java version:
10.times do |n|
puts n
end

That is why I said previously that any starting developper should learn either Django or RoR if they want to build small web applications. If you want to work with the big boys, learn java. But trust me, there arent fun projects when you involve websphere and IBM!
 
Mantat said:
you can say that they reduce time of development at the price of performance. Now which cost more: a full team of developper or a brand new server?
Click to expand...

and you're leaving out the biggest cost of all: the maintenance cycle. code that is easy to understand and fix can save huge amounts of money after deployed.

believe me, i've got strong feelings on what's the "right" way to develop software. what i'm really trying to determine is, if i tool up in RoR, are the jobs there? (where "there" is chicago :)

if i'm going back to full-time development, i want to have some damn fun!

... i should probably start a thread about re-tooling ...
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back