Subscribe to our RSS Feeds

PHP Security fixes for your site

No Comments »

Has your php site been exploited or hacked? What can you do to make sure this does not happen again?

I recently went through these points that I judge extremely useful to keep your website safe.

  1. Set register_globals to OFF
  2. Turn off Display Error/Warning Messages. Set display_error to ZERO.
  3. Never run unescaped queries
  4. Validate all user inputs. Items on Forms, in URLs and so on
  5. Move config.php and files containing Passwords to MySQL to a secure directory outside of the public_html folder
  6. Change permissions on any configuration files containing private information such as database passwords or email accounts to 440 so they cannot be written to and so there is no world permissions. If you need to edit them at a later time you will need to change it back to 640.
  7. Access Control: You don’t want the user to have access to any Admin function or Clean up scripts
  8. The .htaccess file is your friend. Use it to deny access to your site or files. (We also have an easy IP Deny Manager tool in the cpanel)
  9. PHP can parse any valid script, whether it is called foo.php, very_long_name.php.php.php, or even deleteme.bat.
    • Using the default extension of “.php” means that before your hackers start you have already told them you are using PHP.
    • As mentioned, you can use any filename for your scripts – if you are using PHP for every script on your server, consider using the “.html” extension for your scripts and making PHP parse HTML files.
    • You can change your file extension by adding this line to the .htaccess or turn it on via the Apache Handlers in the cPanel (AddHandler application/x-httpd-php5 .html)
    • To protect against SQL injection attacks Sometimes hackers will try to screw up your database by inserting SQL code into your form input fields. They can for example, insert code that could delete all the data in your database!
    • To protect against this, you need to use this PHP function:
    • mysql_real_escape_string()
    • This function escapes (makes safe) any special characters in a string (programmers call text a ‘string’) for MySQL.
  10. Example: $name = $_REQUEST[‘name’]; $safe_name = mysql_real_escape_string($name); Now you know the variable $safe_name, is safe to use with your SQL code.
  11. Keep the PHP code to yourself. If anyone can see it they can exploit vulnerabilities.
    • You should take care to store your PHP files and the necessary passwords to access your MySQL databases in protected files or folders.
    • The easy way to do this is to put the database access passwords in a file with a .inc.php extension (such as config.inc.php), and then place this file in a directory which is above the server’s document root (and thus not accessible to surfers of your site).
    • Then, refer to the file in your PHP code with a require_once command.
    • By doing things this way, your PHP code can read the included file easily but hackers will find it almost impossible to hack your site.

You can find more information about hardening your PHP scripts at: PHPsec.org

Also, for security purposes, you can refer to these two websites:

PHPIDS – Web Application Security 2.0 – Index

BlogSecurity

Top 20 Antivirus rankings

No Comments »
Top 8 Updated list Bit Defender Kaspersky Antivirus Trend Micro AntiVirus Panda Antivirus McAfee VirusScan AVG Anivirus Pro Norton Antivirus F-Prot for Windows

This is the list of the top 20 antivirus applications tested using about 200.000 virus samples.

Rank –> Name –> Virus detected percentage
1. Kaspersky version 7.0.0.43 beta – 99.23%
2. Kaspersky version 6.0.2.614 – 99.13%
3. Active Virus Shield by AOL version 6.0.0.308 – 99.13%
4. ZoneAlarm with KAV Antivirus version 7.0.337.000 – 99.13%
5. F-Secure 2007 version 7.01.128 – 98.56%
6. BitDefender Professional version 10 – 97.70%
7. BullGuard version 7.0.0.23 – 96.59%
8. Ashampoo version 1.30 – 95.80%
9. eScan version 8.0.671.1 – 94.43%
10. Nod32 version 2.70.32 – 94.00%
11. CyberScrub version 1.0 – 93.27%
12. Avast Professional version 4.7.986 – 92.82%
13. AVG Anti-Malware version 7.5.465 – 92.14%
14. F-Prot version 6.0.6.4 – 91.35%
15. McAfee Enterprise version 8.5.0i+AntiSpyware module – 90.65%
16. Panda 2007 version 2.01.00 – 90.06%
17. Norman version 5.90.37 – 88.47%
18. ArcaVir 2007 – 88.24%
19. McAfee version 11.0.213 – 86.13%
20. Norton Professional 2007 – 86.08%

Click here to read more.. »

Alien Intruders!

No Comments »
by: Seamus Dolly

You probably didn’t casually invite, or extend a formal attendance request to, these undesirables known as viruses.

Regardless of your opinions, such cyber-nomads may call on you, complete and active, with their destructive payloads.

So what is a virus?

A virus is a program that can self replicate or reproduce itself.

Click here to read more.. »