Well i always come to thinking that my website is not secured enough. I’m going to list below what am i checking for and what i wanna do next, and tell me if i need to add/edit anything, any advice is appreciated.
Gallery upload page
Not invloving the database
checking width (must be less than 1024px)
checking height (must be less than 768px)
checking size (must be less than 500kb)
checking ext (must be .jpg, .bmp, .png, .gif)
If all those requirements meet, then the file gets uploaded, is there anything else i should check for?
My next pages i’m thinking to work on are “Contact us” and “give ur opinion” pages, they are both similar to the login page, a few text fields where ppl can write stuff and send it, what other things i should check for ? (besides of the checks i make above in the login page)
When uploading images, you need to also check for file type. File extension is too easily faked. We see many infectious files that are really PHP code, but they have a .jpg extension.
You have to make the folder that files are uploaded to, un-executable from the Internet. A typical sceanario for hackers is to upload a file then try and execute it from a browser. If you only allow write permissions and use a .htaccess file to prevent any PHP, Perl or javascript code to run, you’ve eliminated that possibility.
For your database, you should hash the password so it’s not stored in plain text. This makes the “Forgot your Password” function more complex, but it’s worth it. Also use a “salt” in your hash.
For your contact us page, use captcha. There are many examples online for all of this. I’m just trying to point you in the right direction.
When uploading images, you need to also check for file type. File extension is too easily faked. We see many infectious files that are really PHP code, but they have a .jpg extension.
Well i tried to change a .txt file to .jpg for example and tried to upload and upload fails, thats becuase, like i mentioned above, i got also checks for width / height, which a txt file (that has been changed to jpg) dont have, tell me if i’m wrong here.
For your database, you should hash the password so it’s not stored in plain text. This makes the “Forgot your Password” function more complex, but it’s worth it. Also use a “salt” in your hash.
i was searching around alot on how to encrypt the password field of my database but without success, do u have any link to show how to do that on a access DB?
Besides of the SQL injection part (which the only things i know about it are the illegalwords part like i posted above and the double ‘’ check) i don’t know any of them, anymore explanation would be helpful
hash is a function in, as far as I know, every server side scripting. So I presume it is in ASP a well. Just google for it
Will this do?
it seems to do the job for input a i get something like :
86f7e437faa5a7fce15d1ddcb9eaeaea377667b8
but should i put that (on my login page) after the check for the illegal words or…?
You have client side (javascript) check for the basic illegal characters and input length, etc. then as the form is actually submitted, it gets sent to the server side where the password is hashed with salt then stored in the database.
So the: 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 would be stored in the database. What the user enters is the unhashed password.
RFI: Remote file inclusion
LFI: Local file inclusion
Well i’m aint after reading lots of infos regarding those RFI and LFI (specially when most of the explantions are pointed to PHP)
What are those related to? the gallery page? if yes then ill probably just take mine gallery page off, after a while of thinking a gallery page wouldn’t add anything meaningful to my website
if it is related to the admin’s login page (which has 2 text fields for acc/pass) then i’m going to need more of details about it or perheps some link with better clues on how to get this security issue done.
ps. i’ve got that script with hash/salt added succesfullly to my login/register/pass change pages
