security

Evulness · 04-16-2008, 02:01 PM

Quick question regarding secutiry...

What are the best ways to protect your scripts/site from xss, and other attacks?

so far, my EvulCMS 2.0 i think is going to be secure...
i've looked at, studied, ripped apart, and rebuilt countless CMS tutorials , user admin systems, etc... downloaded phpbb, smf, php-nuke, php-fusion ripped them apart, and studied their structures...

My previous version wasn't OOP oriented, as i hadn't really used classes yet. but since v5 was released... why not teach myself something that would make life alittle easier.

when it got down to starting my security measures, i found
TechTuts - Learn. Share. Create.
I liked the code used for cleaning the users input....

Code:

public static function Clean($string)//Create a clean function
{
    if(get_magic_quotes_gpc())//If magic quotes is enabled
	{
		$string = stripslashes($string);//Remove slashes from the string
	}
	elseif(!get_magic_quotes_gpc())//If not 
		{
			$string = addslashes(trim($string));;//Add slashes to the string then trim is
		}

		$string = escapeshellcmd($string);//Remove all SHELL commands
		  
		$string = mysql_real_escape_string($string);//Stop MOST MySQL injections
    		
		$string = stripslashes(strip_tags(htmlspecialchars($string, ENT_QUOTES)));//Remove XHTML, remove slashes

    	return $string; //Return the final string
}

i actually used this, well not exactly... obviously rewrote for my system, but concept, and structure are pretty much the same...

i was curious... This, along with using a quad encrypt system. will this help prevent most typical web based attacks on a system?
i mean obviously, NOTHING is 100% secure, but something like this should help at the very least SLOW down an attack process to a snails speed... giving logging system time to log and warn the admin about possible attacks.

Also, i was wondering.... how would you monitor a site for typical web based attacks, to be able to log info about the attack? pretty much for any CURL attempts, bruteforcing, injections, etc...

Not that im expecting to be attacked, i just want to make sure things are as secure as possible. not only for security purposes.... but as a learning process.

TlcAndres · 04-16-2008, 09:43 PM

Well the function looks pretty secure and if you'd like to test for brute forcing or some thing of the like set up a table in the database with the following fields

id
last_attempt
attempts
ip

So you can put together the things yourself, every time a person attempts a login you fetch the information from the database and cross reference the number of attempts against the time. if they tried 3 attempts within the last minute then ban them for a set ammount of time Vbulletin does it and it works quite well.

On the site I run with my friend I've set a cronjob to run a script to look at just how many failed attempts and bans the same IP address has had over the last week. to many and I just ban them from the system.

Evulness · 04-17-2008, 02:15 AM

good idea, thnx