5

I'm asking this as I maintain a small website for a fairly isolated group of people (no more than 80). It currently has a simple log in function (e-mail, password) and the data that is "protected" is merely contact information to our members (telephone, address, e-mail). The website is written in PHP and use My SQL.

These last couple of days, I've been reading through the forums and other sites about web site security, since I would like to enhance it on our site. Right now the security consists of SQL-injection protection and MD5-hashed passwords stored in a database. This feels abit inadequate but I also feel that it's easy to take it TOO far. I mean it's not exactly nuclear launch codes here, but data people usually feel abit unconfortable to display online. The site itself is hosted by a fairly renown web host.

The only threat I can see right now are pranksters stumbling across the site and trying some of their home made concotion?

So I thought somewhere in the middle would suffice. Like

  • SQL-injection protection (enhance if needed)
  • Stronger hash method with salt
  • XSS-protection
  • DDoS-protection
  • SSL when accessing the member area

What do you more experienced people out ther think?

Update: I would like to add that I do everything myself and there is no budget for buying fancy crypto techniques or hiring professional programmers.

Sandokan
  • 861
  • 1
  • 9
  • 18
  • _The site itself is hosted by a fairly renown web host_... not private anymore! – Salman A Jun 18 '12 at 06:23
  • Use bcrypt to hash your passwords, it is not for high security sites only, and using it can be as easy, as using an md5 hash. There are libraries like [phpass](http://www.openwall.com/phpass/), and if you want to understand how it works, you can read this [article](http://www.martinstoeckli.ch/php/php.html#ssl_bcrypt). – martinstoeckli Jun 18 '12 at 06:35
  • Your critical ones will be SQL Injection protection, Minimum password complexity for user accounts, A strong password on your SSH/admin account (or disable password auth entirely and use public-key authentication for the admin account), remote file inclusion protection, XSS protection, and user-isolation for your httpd process. Nice to have would be SSL for post-auth content. Not required in this case are improved password hashing in the database, DDoS protection, and CSRF protection. There's nothing wrong with having those, but unless you get a targeted attacker, you won't need them. – aroth Jun 18 '12 at 06:36

3 Answers3

3

To enhance security for SQL injection, you must see:

It would tell you to use PDO, parameterized queries.

To learn about general security issues, see this post which covers a lot:

Audit your site in terms of security using:

And

phpSec is a open-source PHP security library that takes care of the common security tasks a web developer faces.

Community
  • 1
  • 1
Sarfraz
  • 377,238
  • 77
  • 533
  • 578
  • Would that require installation? Cause I don't have access to the server since it's a shared host. – Sandokan Jun 18 '12 at 06:21
  • @Sandokan: Yes it would but don't worry about it. Read the security guide and then code considering those points. – Sarfraz Jun 18 '12 at 06:23
1

Add CSRF vulnerability protection to your security list

odiszapc
  • 4,089
  • 2
  • 27
  • 42
0

Also you can add Remote file inclusion.

Viacheslav Kondratiuk
  • 8,493
  • 9
  • 49
  • 81