Information Security

Office 365 Outlook emails forwarding to external email addresses not working?

By default, Office 365 is not allowing forwarding to external email addresses via inbox top right Settings > View all Outlook settings > Forwarding. To enable Office 365 Outlook to forward to external email addresses, we need to manually enable it in the organization security policies. Log in Office 365 as admin, and go to …

Office 365 Outlook emails forwarding to external email addresses not working? Read More »

500 Internet Server Error for Incorrect Permissions after Installing suPHP and Uploading PHP Script

Many’s the time after you have uploaded some PHP script to your server and point the web browser to the address it gives 500 Internet Server Error. If you have suPHP installed this is very likely because the uploaded PHP script (files and directories) have wrong permissions set to them. With regards to Linux permissions, …

500 Internet Server Error for Incorrect Permissions after Installing suPHP and Uploading PHP Script Read More »

Make Firefox to Not Send HTTP Referer (or On a Per-Site Basis)

By default browsers such as Firefox sends the Referer information to the target URL in the HTTP header, as defined by HTTP protocol, so the destination URL / website knows where you have come from. For instance, when you click this link to one of my friends’ sites, it would know you have arrived at …

Make Firefox to Not Send HTTP Referer (or On a Per-Site Basis) Read More »

PHP Class for Handling .htpasswd and .htgroup (Member Login & User Management)

Apache is a marvelous web server that offers .htpasswd and .htgroup for controlling restricted access to your website. By help of .htaccess, they work as a member login & user management system that is so simple and easy to deploy. You can even define user groups / roles with it. Basically, .htpasswd defines pairs of …

PHP Class for Handling .htpasswd and .htgroup (Member Login & User Management) Read More »

SSH Web Hosting as Socks5 Proxy for VPN Tunnels via PuTTY

Few know that those who have web hosting are at the same time endowed with a free VPN (Virtual Private Network, a very safe connection to transfer important data). With a few simple steps by the help of PuTTY, the tiny legendary SSH program, anyone with a web hosting account can have a private VPN …

SSH Web Hosting as Socks5 Proxy for VPN Tunnels via PuTTY Read More »

How to create / generate .htpasswd password with PHP dynamically?

The easy way to add a username and password pair in the .htpasswd file is to use an online password generator tool that converts the clear text password into its hash, a.k.a. the encrypted password. The problem with this approach is that you have to manually create the pair and append it to .htpasswd. Is …

How to create / generate .htpasswd password with PHP dynamically? Read More »

Use .htaccess to allow access only from a single HTTP referrer

Sometimes you want the user to access something (a web page or a downloadable file) only by clicking a link on your own website instead of being able to directly access it by typing in the URL address in the browser address bar. This is achievable by a few lines in .htaccess. RewriteEngine On RewriteCond …

Use .htaccess to allow access only from a single HTTP referrer Read More »

Turn off and disable magic_quotes_gpc in .htaccess

It’s not only insecure but it inconveniently commands the use of PHP function stripslashes() every time you pull something from the database or when you get something from the client side. While most of the hosts out there are using factory settings of PHP that turn off magic_quotes_gpc by default, there are a few that …

Turn off and disable magic_quotes_gpc in .htaccess Read More »

PHP Security Guide & Checklist for Websites and Web Applications – Bottom Line for Every Good PHP Developer

It’s not easy to become a great PHP developer which may very well take years of training and practice, but this doesn’t mean you shouldn’t do your best to not be a bad one that undermines every project he’s involved in. Based on the project experiences of my team and some recent researches done on …

PHP Security Guide & Checklist for Websites and Web Applications – Bottom Line for Every Good PHP Developer Read More »

Web Application Security Books (PHP, MySQL, Apache), the Best at Amazon

Security may not make you but it sure can break you. As modern web applications become more and more complexed puzzles and filled with thousands of features catering to a spectrum of user preferences and tastes, the developers are burdened with ever-going responsibilities to keep them sound and safe. There are people (crackers) out there …

Web Application Security Books (PHP, MySQL, Apache), the Best at Amazon Read More »

PHP: setcookie() with HttpOnly Option to Reduce XSS (Cross Site Scripting) Attacks by Preventing JavaScript from Reading Cookies

It may considerably reduce XSS attack possibilities if not completely eradicate it. XSS, or Cross Site Scripting, is probably the most common security problems in web applications that engage in heavy user input. If you’ve ever tried to build a web application that users can input data in a lot of different venues, chances are …

PHP: setcookie() with HttpOnly Option to Reduce XSS (Cross Site Scripting) Attacks by Preventing JavaScript from Reading Cookies Read More »

Just Hashing is Far from Enough for Storing Passwords – How to Position against Dictionary and Rainbow Table Attacks

It goes without saying that sensitive information such as passwords or pass phrases should never be stored in plain text in the database in the first place. The common practice is to hash the user password and store the resulted hash string. When the user tries to log in and supplies his password, it is …

Just Hashing is Far from Enough for Storing Passwords – How to Position against Dictionary and Rainbow Table Attacks Read More »

PHP: Check or Validate URL and Email Addresses – an Easier Way than Regular Expressions, the filter_var() Function

To check if a URL or an email address is valid, the common solution is regular expressions. For instance, to validate an email address in PHP, I would use: if (preg_match(‘|^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$|i’, $email)) { // $email is valid } A simpler and more forgiving one would be: |^\S+@\S+\.\S+$| Which is usually quite enough for signup forms …

PHP: Check or Validate URL and Email Addresses – an Easier Way than Regular Expressions, the filter_var() Function Read More »

PHP: Allow Specific HTML Tags in Text Input Controls of HTML Forms, <textarea>, <input type=”text” />

Textarea and text input are common html form controls that accept text input. They can be a security challenge as they allow the user to enter anything they want. If you just go about using whatever data the user has entered, your application is anything but secure. Some sort of filtering / white-listing must be …

PHP: Allow Specific HTML Tags in Text Input Controls of HTML Forms, <textarea>, <input type=”text” /> Read More »

A few database security tips – things to do to effectively protect MySQL databases

I’d like to share with you some tips about hardening the database part of your application. Here are a few things you can do in protecting the databases from being compromised in security: Create separate users with ONLY necessary privileges (as few as possible) to connect to the database for common daily tasks. Never use …

A few database security tips – things to do to effectively protect MySQL databases Read More »

One Simple Way to Encrypt, Obfuscate, Hide or Protect Your PHP Code

This way is so simple that anyone who’s a beginner in PHP can use it immediately to obfuscate and hide the original PHP code. Generally, it’d make it much harder for someone to find a specific phrase in your code as it’s encrypted, though in a rather simple way using 4 PHP functions: gzinflate(), gzdeflate(), …

One Simple Way to Encrypt, Obfuscate, Hide or Protect Your PHP Code Read More »

PHP: open_basedir in php.ini to Restrict and Limit PHP File Accesses to a Certain Directory

The open_basedir directive in php.ini limits PHP file accesses (such as file opening, writing and deleting) within a designated directory such as /home/www/public_html so that it doesn’t endanger the rest of the system in any way. With proper Apache permissions and PHP installed as an Apache module, PHP inherits whatever privileges Apache has. As Apache …

PHP: open_basedir in php.ini to Restrict and Limit PHP File Accesses to a Certain Directory Read More »

How to know if your site has been penalized by Google for malicious software or suspicious content?

Back when WordPress was pretty young there’s some loopholes that enable hackers to inject unauthorized and dangerous HTML code into your website pages, thus promoting the distribution of malware that damages the end users computer. I was once there and got penalized by Google for one of my sites. However, they are gentle enough to …

How to know if your site has been penalized by Google for malicious software or suspicious content? Read More »

phpBB Spam Control — phpBB Anti-Spam Options for Fresh Forum Installations

phpBB is pretty much the best php forum software out there that is free, and comes the first choice of many webmasters. However, after a few weeks of first installation, many complain that spam bots start to overwhelm their forums, flooding with automated spam registrations and spam posts. Unfortunately, that is generally because: phpBB disables …

phpBB Spam Control — phpBB Anti-Spam Options for Fresh Forum Installations Read More »

Robots.txt Disallow All and Block Search Engine Spiders

You can literally block any visitor including search engines and secure the data or information you have on your website by the help of .htaccess Deny From All. A similar solution is to have a robots.txt, majorly for search engines. To disallow all search engine visits and stop the any spider or crawler, create a …

Robots.txt Disallow All and Block Search Engine Spiders Read More »

Scroll to Top