Archives For security

Pádraic Brady just posted “20 Point List For Preventing Cross-Site Scripting In PHP”, a thorough list of steps you should take when developing a Web site to prevent Cross-Site Scripting (XSS) attacks. Arguably, it would have been useful to include the explanations for some of these, but then the post could have been too long. In any case, it’s worth a quick read. I particularly like the following:

Continue Reading...

If you’re doing any sort of e-commerce, you’ll need a Secure Sockets Layer (SSL) certificate to support Hypertext Transfer Protocol Secure (HTTPS) on your website. I’ll say that again:

If you’re doing e-commerce, you need SSL/HTTPS.

This is not negotiable. I understand that this represents an added expense and hassle, but HTTPS is a must. In this post, I’ll first explain why using HTTPS is a requirement, and then discuss how you go about acquiring and installing an SSL certificate. (Although this post is designed to be generally useful, I’ve included it in my series on Stripe because you’ll need HTTPS setup in order to begin using Stripe to handle payments.) Continue Reading…

There’s a lot of misinformation out and about when it comes to security, which is truly unfortunate. I particularly see misunderstandings when it comes to whether or not the mysqli_real_escape_string() function actually protects you from SQL injection attacks. (Some people erroneously argue that you shouldn’t use mysqli_real_escape_string() and should only use prepared statements.) I recently found a good, in-depth discussion of this specific issue on, not-surprisingly, Stack Overflow.

You can read the whole page, of course (but be careful of the other misinformation demonstrated), but the best, most thorough answer is explained about midway down the page. Spoiler alert: yes, mysqli_real_escape_string() can be circumvented, but only in very obscure situations not likely to apply to you or most everyone else.

SSH Key Authentication

May 25, 2012

The wonderful hosting company that I use, ServInt, recently published an article titled “SSH Key Authentication“. The article explains how to setup SSH key authentication for your server. By doing so, you can access your server without entering your password. Now, this may sound like a very bad thing, but here’s why it’s not: after setting up SSH key authentication, you can disable password authentication. By doing so, the only way to access the server would be to have the matching SSH key. Attempts to break into the server by guessing the password—or by even knowing the password—would not work. Taking this step effectively prevents anyone from breaking into your server, unless they’ve stolen your computer (in which case, you have many, many problems).

It’s a relatively simple procedure to follow and is highly recommended. If you plan on doing this, make sure you check out the comments section of the post, in which it’s pointed out that this will also impact SFTP. SFTP is just FTP through SSH, so the FTP client you use would need the ability to use the same SSH key in order for this to work.

Thanks, ServInt!

In this edition…

Continue Reading…