In the previous article we have tried to protect our website through .htaccess
file. Now lets try to prevent SQL injection. But before doing that lets know
what is SQL Injection and how it works.
Insertion of a SQL query via input field in client application form is know as
SQL Injection. A successful injection can enter into your database and
manipulate your database by adding, updating or deleting your data.
To prevent SQL Injection you can use mysql_real_escape_string
$username = mysql_real_escape_string($_POST['userName']);
## Don't send any data through querystring and never use method GET in your form
## Don't use $_GET[' '] in your PHP code.
## Don't use common names in your form fields, like username, email, fname,
lname etc..
## Use both small letter, capital letter and under score (_) in form field name
and php variable name.
Server side and client side form validation
Use both server side and client side form validation. Before submitting your
data to you must validate at list one field. You can use JavaScript for client
side validation and in PHP you can do the server site validation so your form
data will be more secure. And there will be less chances of inserting hacker
data into your database. Also use
CAPTCHA or
reCAPTCHA by Google to prevent spam entry.
Folder and file permission
You can set your file permission to 0404 or 0444, so the hacker can't access your files and edit your file content.
Also you can set your folder permission to 0664, If you are providing file
upload facility to your user then you can set your folder permission to 0755.
Use a strong password
Always use strong password like the length of your password should more than 6
character, it should content at list one upper case letter, one number and
one special character. Regularly change your FTP password and database password.
Never save your ftp info in FTP software, FileZilla, WS-FTP ect provide option
to the users to save user name and password in the software, but never use those
options, Because in that case the hacker can easily get the user name and
password from your local PC.
Though you have taken all necessary action to protect your website, you can't
say that your site will never be hacked. So you should take care of the
following points.
Scan your Website Regularly
You must scan your site at least once a month to know if every thing is fine in
your website. There are some free tools available to scan your site on-line like
SiteLock and
Securi
Sitecheck. Those site will check your site for malware and other suspicious
codes.
Backup Your Files and Database
You should
backup of your website regularly so if it affected any time then you don't have
to start it from the scratch. And if your website have a database then you must
take the
database backup
everyday so there will be less chances of loosing data. Most of the host
provides the option of take file and database back, if your host doesn't provide
this facility then
click
here to know how to take
database backup in through PHP.