If you are a website owner or programmer, you are probably aware of the threat of hackers.Whether the website is the web representation for a large organization or a gallery showing your product range and inviting customers to come into the shop, or a personal site exhibiting your photos, web security always matters.
There are so many ways to hack website,but there will always a solutions for threat, by using some strong validation (server-side),
we can protect our website from hacking.There are so many rules to make site secure, here are some for PHP Website.
1. A proper validation should be there in all the forms,use captch/recaptcha in forms.
In this type of attack a script fills the forms automatically and the unwanted data submitted in database in excess.
The data may be script that may cause the very important data deletion from your database,or update your website database automatically.
2. Proper permission should be given to files and folder.
In this attack, hacker put a small file,that will control your website.
A loose permission can update/delete your web script program,that may cause business loss (shopping cart) and mentally loss for programmer.
3. mysql_real_escape_string() function should be used in login forms to prevent the site from Sql Injestion
In this type of attack, user is able to execute the desired SQL queries in website’s database.
This attack is usually performed by entering text into a form field (mainly login form) which causes a subsequent SQL query,
generated from the PHP form processing code, to execute part of the content of the form field as though it were SQL.
The effects of this attack range from the harmless (simply using SELECT to pull another data set)
to the database deletion. It may also cause, the site data could be changed, or new data added.
4. Folder/Directory structure should not be shown publicly.we can do this by 2 method by putting blank index.html in all the directory or using .htaccess protection
This attack can occur anywhere in website file system If a user specifies “../../../../scriptarticle” as form data, and your script appends that to a directory name
to obtain user-specific files, this string could lead to the inclusion of the password file contents.
It may also cause moving and deleting files, corrupt files,making arbitrary changes to your file system structure.
5. The form (File upload) sections must be proper validated with proper acceptable files.
Now a days, in 80% websites a myaccount section is given to the user,from where they can upload his photos for files.
Without a proper validation,hacker can upload a script and can run that script easily and can do almost all the operation,whatever he want.
6.htaccess must prevent the execution of script from address bar.
In this type of attack a hacker put the script in address bar and execute,then it will result create a file in the website folder.
These are some basic precaution,that should be taken,there are so many methods now a days has been used in web based software.
SSL is also a very secure method,These authentication protocols operate right over HTTP (or SSL/TSL), with credentials embedded
right in the request/response traffic,But It is costly for a personal portal of a personality.