Somehow someone was able to upload a shell script called fx29.php to my site's root directory. Once there, this script can be run from a browser and gives complete access to my site including my database. I don't know what their goal was as all they did was get into my index file and say they hadn't done more than break in and were warning me I had security problems. They made a suggestion that I pass something between pages using session variables to protect my pages. Thanks, but I'd just as soon be left alone, though maybe the warning will lead to my understanding security better. I don't know what anyone could gain from getting into our site. It just exists to share artwork done by my partner, my friends and me.
I can't figure out how they managed to upload it, though I suspect it may have been through some administration scripts I have written to allow the upload of images of artwork to our site. I have tried to implement various kinds of security in my scripting, though I must say, it is not a simple thing to figure out, especially since I need to feed a lot of info from page to page using gets, which seems to provide a significant point of intro. I am told there are vulnerabilities in the file upload process as well, a lot beyond my understanding.
I have purchased a couple of ebooks on php security to see where I can tighten things up. The explanations in the books are sometimes a bit abstract and a challenge to apply as they assume a bit more facility with php than my intermediate level skill. I have been coding for a number of years and am getting pretty good at it, though i just do it casually, so there are gaps of even as much as 6 months between when I sit down with it and there are always new things I have to catch up on and old things I need to refresh on. Security is still a challenge for me, obviously.
Can anyone recommend a good resource that provides practical information about securing a site at a level of a coder like myself? Or even any direct advice from someone with more experience than me.