SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Enthusiast
    Join Date
    Apr 2006
    Posts
    75
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Site potentially hackable/MySQL/PHP exploitable?

    I have a friend who usually comes to me for website advice, though didn't on his last project and chose to engage the services of a young teenager to build his latest site in bespoke PHP/MySQL. However, he has since heard about PHP cross-scripting and database injection attacks and is worried that his site may be potentially hackable, due to the young age of the developer possibly not having the experience of knowing all the pitfalls.

    Unfortunately, I can't advise because I use tried and tested CMS code like WordPress etc to build sites which has been written by experienced developers and has a good track record 'in the wild'. I looked at some online services to test for cross-scripting and MySQL injection attacks, but it's $800 to buy software he'll probably only ever use once. He's reluctant to go back to the young developer and and ask "is your code 100% known secure?" for fear of offending him so does anyone know of any affordable methods of testing?

  2. #2
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,806
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    The only way of knowing is to either get hacked or pay someone to go through the code manually and advise.
    I would feel no offense if a client came back to me and asked if my code was secure. Its part and parcel of the job he has been paid to do. Even the most basic site should have security in mind from Cross scripting to form manipulation.

    Get him to go back and ask the developer (the one he has paid to have the work done!)
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  3. #3
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,151
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)
    If you search for SQL inection there are plenty of resources to show you some basics. You could than try it yourself and see. My favorite thing to try first is dropping the database. If I can drop your database than you obviously should have hired a professional…
    The only code I hate more than my own is everyone else's.

  4. #4
    SitePoint Enthusiast
    Join Date
    Apr 2006
    Posts
    75
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think he's going to have to hire someone as there's some doubt in the back of my friends mind as to whether the experience is there to identify security flaws. I can't do it as I'm not a web developer (hence my use of WordPress....)


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •