Username and Passwords

Passwords are stronger at 8 characters, so keep that as a minimum. These are 4 simple methods that anyone can follow to create easy to remember strong passwords.

Never be specific

Even student developers are smart enough to just put up a unsuccessful login sign like

• ‘Incorrect password / username’
• ‘Unsuccessful login attempt’

Never give out clues or leads that will help intruders like

• ‘Password is missing one letter’
• ‘Username is not found’

Hiding Errors Messages

Placing @ in front of many of PHP function calls will stop any failure message from showing in the browser window. The ampersand symbol becomes useful when database calls are made during database downtime. This will keep the website looking professional while reducing feedback to intruders.

Encrypt passwords in user account table

Even if the intruder is successful in gaining access to the table, they should only be able to see logins and not passwords. Encrypt all passwords in the table to hold an SHA-1 encrypted string before you compare the user input password to the one stored in the database.

• Example Code
  $encrypted = sha1($password);
• Example database data
  Username : rangit
  Password : d0be2dc421be4fcd0172e5afceea3970e2f3d940

Keep a log of all user activities

Log the total number of logins for each user, as well as the data/time of their last login.

Remove ALL backslashes

Prevent your code from breaking unexpectedly by using ready made PHP functions like strip_tags(), str_replace() and stripslashes().

• Example code
  $login = @strip_tags($login);
  $login = @stripslashes($login);

Use ‘maxlength’ in forms

Limit the user to the allocated input size.

Importance of referrer

Make login scripts to check HTTP_REFERER to see that the request came from the same server. This security measure will stop simple spam bots and amateur attackers.

Use $_POST not $_REQUEST

If your HTML form uses POST to send the data to the login script, then make sure your login script gets the input data using $_POST and not $_REQUEST to prevent someone to pass data via GET, on the end of the URL string.

SSL Encryption (https)

If you think the website deserves the best of data privacy, purchase an SSL certificate to encrypt the pages.

Limit user access according roles

This is one of the most important method to prevent SQL injetions. Classify groups and distribute features and functionality based on roles. For example

• Cashers can only enter in sales, and not delete it
• HR personals should only see employee information, and not the financial data

eioba
Intelligent articles database

PHP is a server side programming language designed to produce amazing dynamic web pages which :

• allows you to create dynamic html pages and files.
• can be used to authenticate logins to a site
• allows web owners to redirect pages
• keep counters
• allows you to personalize pages. For example, if I login to a site using my username and password, the PHP codes will then tell the server to generate a personal note that says ‘Welcome, Chris!’. So if another person logs in, the server will generate another personal page that says ‘Welcome, (username)!’.
• If you set up your own server you can use also PHP to allow people to download files from a certain folder and then log the ip address of the person that downloaded it. As long as the page saves or changes a file on the server, PHP will most likely be used.

There are plenty of PHP training courses out there that helps people to learn even faster. Open Technology Group is one fine example that provides the highest quality training at an affordable prices that includes post meet ups after classes. Their courses are taught by Zend certified PHP MySQL training instructors with over decade’s experience.

At the moment, they conduct classes on a monthly basis. The classes are carried out for a period of 5 days. If you live in the US and some other parts of Canada, airfare to North Carolina, accommodation, shuttle services and course materials are all included with the fee you pay.

Interested people are encouraged to submit a simple form or call them to ask about enrollment questions. They will even wire in a technical instructor to take calls, if needed. I believe that they have special pricing for government or educational bodies.

* sponsored review *

PHP MySQL Training
PHP training solutions

According to WhiteHat Security’s statistics, there is a 20% likelihood that 8 out of 10 websites have a vulnerability in the area of SQL Injections.

Keeping It Clean

For example, it is important to make sure that users insert only codes that have these characters in the email field :

• abcdefghijklmnopqrstuvwxyz
  ABCDEFGHIJKLMNOPQRSTUVWXYZ
  0123456789
  @.-_+

Quotes Quotes Quotes

Many database interface languages caters to the need of safe-quoting text. For example, MySQL uses 2 functions to ‘string quote’ and to ‘string parse’ :

• mysql_real_escape_string() adds backslashes in front of all the quotation marks.
• stripslashes() removes backslashes in front of the quotation marks.

Bounding Parameters

• Insecure

Statement s = connection.createStatement();
ResultSet rs = s.executeQuery(“SELECT email FROM member WHERE name = ” + formField); // *boom*

• Secure

PreparedStatement ps = connection.prepareStatement(“SELECT email FROM member WHERE name = ?”);
ps.setString(1, formField);
ResultSet rs = ps.executeQuery();

Above is an example of bound parameters in Java. Neither quotes, semicolons, backslashes nor SQL comment notations are able to corrupt the string because it’s been turned into data. Bounding parameters is one of the most important step anyone can take to truly secure the database from injection attacks.

Rights Management

Web applications should use connections to the database with as little rights as possible. Web applications should start with only 1 type of access which is query access to members table. This method eliminates the possibility of using the ‘UPDATE’ statement to taint the database. Let rights access be progressive, like allowing more flexibility only after a successful user validation.

Making Use Of Stored Procedures

As long as the interface on the stored procedure stays the same, the table structure can change with no consequence to the application that is using the database. This layer of abstraction is like an extra barrier because table permission is implicitly set. By only allowing database modifications through stored procedures, tables are safe from exposure to external applications.

Separating TRUSTED and UNTRUSTED networks

A DMZ is a computer network that is accessible from two other computer networks that have no direct contact with each other. Often, one of these networks is the Internet and the other is a local, internal network. Having a web server with very, very little access in a DMZ prevents total control of all networks, even if one manages to take full control of the machine.

SQL Injection Attacks
Useful tips on SQL injection attacks

Codefetch is a code search engine that connects programmers and authors so that programmers get the information they need from the work of supportive and encouraging book authors. Easily get results from 22 different programming languages :

1. C
2. Cold Fusion
3. Ant
4. C#
5. Flash ActionScript
6. Apache Configuration
7. C++
8. HTML / CSS
9. AppleScript
10. Delphi Pascal
11. Javascript / Ajax
12. SQL
13. Java
14. JSP / JSTL / JSF
15. Unix / Shell
16. Objective-C Cocoa
17. Perl
18. XML-Schema
19. Python
20. PHP
21. XSLT / XPATH
22. Ruby / Rails

It’s so easy to use. I tried entering ‘path’ in ‘PHP’ and out came all the PHP codes from 22 different books. Then I entered the search term ‘pizza’ and chose ‘C++’. Out came codes that :

• Determines which of two pizza sizes is the best buy.
• Determines whether a round pizza or a rectangular pizza is the best buy.
• Returns the price per square inch of a pizza.

Codefetch will generally benefit students and basic programmers by providing source codes to learn from. Moreover, this is also a good way for book authors to promote the content of the book.

Code Fetch
Fetch the code you need.

1. Pascal
2. C++
3. Perl
4. JavaScript
5. HTML
6. LISP
7. Math

This is how the editor looks like.

The design is soft and smooth, which makes me feel sort of relaxed and able to program for hours.

Results are shown on a panel on the right hand side of the editor. You can also see what other anonymous users are trying out from looking at the public live results panel located at the bottom. It looks like this.

Register yourself to store files on the site itself. They even allow users to publish their work on the wiki page. Pretty interactive if you ask me. Check out the forums for questions and suggested solutions by forum members.

CodeIDE
the free online compiler

It’s great when one can learn how to program for free. Thanks to freecomputerbooks.com, everyone can now learn for free. Previously, there was a similar entry on another website which also provided free IT tutorials . On the main page, we can see the tutorials classified into 9 different categories. The more common subcategories are listed out next to it. Looks very detailed to me. Here’s a screenshot for a better description.

Take look at the website for yourself! Have fun learning!

Free Computer Books
The free IT tutorials website