Ask a question

Popular technologies


Latest questions:

511 sql - Reverse the array in php
460 php - Convert long numbers to short and compact
593 php - Codeigniter 4 validation error callback_check_password is not working
85 laravel - How to calculate hour two date difference in php?
277 php - Symfony project shows directory listing index instead of index page
682 php - Test Imagick Image
613 wordpress - I am getting issues with my single Post navigation in single.php with previous_post_link() and next_post_link() is not working with post type "post"
849 PHP bcrypt to PYTHON bycrypt not giving same values
257 php - How to fix error Query array failed: 1064
581 php - What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
  1. Home
  2. security - is this methods enough for secure my host (php)?
465 votes
0 answers

security - is this methods enough for secure my host (php)?

mangohost Get the solution ↓↓↓

Solution:

You missed SQL injection.

You can use prepared statements to avoid SQL injections.

Here is an example:

$conn = mysqli_connect("localhost", "username", "password", "database");

$username = "someone";
$comments = "something like ); SELECT * FROM table;"; #some kind of sql injection
$current_date = date("h:i:s a d-m-Y");
        $sql = "INSERT INTO comments (name, comments, date_publish) VALUES (?, ?, ?);";
        $stmt = mysqli_stmt_init($conn);
        if (!mysqli_stmt_prepare($stmt, $sql)) {
            echo "An error occured!";
        } else {
            mysqli_stmt_bind_param($stmt, "sss", $username, $comment, $current_date);
            mysqli_stmt_execute($stmt);
            mysqli_stmt_get_result($stmt);
            echo "Done!";
        }

Even though you have included (php) in your title, I want to share some security headers:

Add the following to Apache, if using Apache:

<IfModule headers_module>
Header always set Expires "-1"
Header always set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
Header always set Pragma "no-cache"

<FilesMatch "\.(gif|jpe?g|png|webp|ico|mp4|mp3)$">
Header always unset Expires
Header always set Cache-Control "must-revalidate, max-age=3600"
Header always unset Pragma
</FilesMatch>
Header always set Content-Security-Policy "default-src 'none'; img-src data: https: 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none'; style-src 'self'; base-uri 'none'; form-action 'self'; media-src https: 'self'; frame-src 'none'; child-src 'none'; connect-src 'self'"
Header always set X-Frame-Options "DENY"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options nosniff
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
#Header always set Referrer-Policy "no-referrer"
Header always set Permissions-Policy "geolocation=();midi=();notifications=();push=();sync-xhr=(self);microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();"
Header always set X-Permitted-Cross-Domain-Policies "none"
</IfModule>

Here are the plain headers:

set-cookie: __Secure-YOURSESSID=abcdefghijklmnopqrstuvwxyz123456789; path=/; secure; HttpOnly; SameSite=Lax
expires: -1
cache-control: no-store, no-cache, must-revalidate, max-age=0
pragma: no-cache
content-security-policy: default-src 'none'; img-src data: https: 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none'; style-src 'self'; base-uri 'none'; form-action 'self'; media-src https: 'self'; frame-src 'none'; child-src 'none'; connect-src 'self'
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
strict-transport-security: max-age=63072000; includeSubDomains; preload
permissions-policy: geolocation=();midi=();notifications=();push=();sync-xhr=(self);microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();
x-permitted-cross-domain-policies: none
content-type: text/html; charset=UTF-8

You can alter them to your needs. TheContent-Security-Policy header is the most important one. It might break your site, but, it will help a lot.

Use SSLLabs to test your site's security.

Here is an Apache configuration for most secure SSLLabs score:

SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384
SSLOpenSSLConfCmd ECDHParameters secp384r1

#generate DH param using: openssl dhparam -out dhparam.pem 4096
SSLOpenSSLConfCmd DHParameters "/path/to/ssl/dh4096.pem"

SSLHonorCipherOrder On
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLUseStapling On
SSLStaplingCache "shmcb:ssl_stapling(32768)"

Source

Share

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Similar questions

Find the answer in similar questions on our website.

466 php - This page isn??�t working error showing because session not set
599 javascript - How to display PHP CodeIgniter error validation if the form has error and display successfully submitted if it has no error
20 php - Retrieving Role and Permission from Authenticated User Laravel Breeze + React + inertia + Spatie Permission
39 php - How can i fix this col ? i did not arange my items i tried everthing but i did not fix the problem
319 php - How can I set a specific PhpSession Cookie for a webpage?
568 php - How do I make this condition actually work, I am using woocommerce
863 php - How to fix Connection failed: Access denied for user 'webroot'@'localhost' (using password: YES)
487 php - Insert complete product data into database when checkbox is checked
82 php - Laravel HasManyThrough nor BelongsToMany doesn't work in my case. Is it database structure problem?
794 php - Initialization of div class with predetermined filter - need syntax assistance

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.




About the technologies asked in this question

PHP

PHP (from the English Hypertext Preprocessor - hypertext preprocessor) is a scripting programming language for developing web applications. Supported by most hosting providers, it is one of the most popular tools for creating dynamic websites. The PHP scripting language has gained wide popularity due to its processing speed, simplicity, cross-platform, functionality and distribution of source codes under its own license.
https://www.php.net/


MySQL

DBMS is a database management system. It is designed to change, search, add and delete information in the database. There are many DBMSs designed for similar purposes with different features. One of the most popular is MySQL. It is a software tool designed to work with relational SQL databases. It is easy to learn even for site owners who are not professional programmers or administrators. MySQL DBMS also allows you to export and import data, which is convenient when moving large amounts of information.
https://www.mysql.com/


HTML

HTML (English "hyper text markup language" - hypertext markup language) is a special markup language that is used to create sites on the Internet. Browsers understand html perfectly and can interpret it in an understandable way. In general, any page on the site is html-code, which the browser translates into a user-friendly form. By the way, the code of any page is available to everyone.
https://www.w3.org/html/

Welcome to webdevask.com

Welcome to webdevask.com

Welcome to the Q&A site for web developers. Here you can ask a question about the problem you are facing and get answers from other experts. We have created a user-friendly interface so that you can quickly and free of charge ask a question about a web programming problem. We also invite other experts to join our community and help other members who ask questions. In addition, you can use our search for questions with a solution.

Get answers to specific questions

Ask about the real problem you are facing. Describe in detail what you are doing and what you want to achieve.

Help Others Solve Their Issues

Our goal is to create a strong community in which everyone will support each other. If you find a question and know the answer to it, help others with your knowledge.