Results 1 to 8 of 8

Thread: secure system?? how??

  1. #1
    Join Date
    Nov 2001
    Location
    Malaysia
    Posts
    23
    Rep Power
    0

    secure system?? how??

    hi there,

    can u guys give me some suggestions on how to make my system more secure.

    for eg. i'm going to develop a shopping cart, wat am i suppose to take note in order ppl won't easily hack??

    thank you for all your suggestions/opinions..

  2. #2
    Join Date
    Aug 2001
    Location
    Ampang KL
    Posts
    93
    Rep Power
    222
    Ermm lots of thing:

    1. Ensure of SSL . Then get cert from qualified SSL cert awarding.
    2. Always double check where the data came from using $HTTP_SERVER_VARS[HTTP_REFERER];

    3.Don close your code, give a try to your close friend.
    4.Put database connectivity in .htacess , don't hard coded it in config file.
    5. Only allow ssh telnet from allowed host.

  3. #3
    Join Date
    Nov 2001
    Location
    Malaysia
    Posts
    23
    Rep Power
    0
    1. Ensure of SSL . Then get cert from qualified SSL cert awarding.
    2. Always double check where the data came from using $HTTP_SERVER_VARS[HTTP_REFERER];

    3.Don close your code, give a try to your close friend.
    4.Put database connectivity in .htacess , don't hard coded it in config file.
    5. Only allow ssh telnet from allowed host.
    1. where can i get the cert? any url u can show me or i can find more info about it??
    2. how to put my databaseconnectivity in .htaccess? any eg, can show me?

  4. #4
    Join Date
    Dec 2001
    Location
    kl
    Posts
    11
    Rep Power
    0
    Also beware of the coding, esp your SQL statement.
    Having SSL enabled, doesn't promise that your site is hack proof as SSL only apply at the transportation layer.

    I encountered many e-commerce sites (Malaysia esp) which claimed to be secure because of SSL but always fail to maintain good programming pratices. They are very vulnerable to attacks right from user login to their payment payment gateway. Attacks such as SQL injection or DOS can be easily performed on this so called secure sites.

    As mentioned, good pratices include putting your db connectivity at .htaccess, double check your HTTP_REFERRER and disable your SSH port (port 23, I think).

    Happy programming!
    acurra79

  5. #5
    Join Date
    Nov 2001
    Location
    Malaysia
    Posts
    23
    Rep Power
    0
    As mentioned, good pratices include putting your db connectivity at .htaccess, double check your HTTP_REFERRER and disable your SSH port (port 23, I think).
    i've heard of .htaccess all the time. actually...how to make use of it?? i have totally no idea how to do it...can explain a bit?

  6. #6
    Join Date
    Dec 2001
    Location
    kl
    Posts
    11
    Rep Power
    0
    Originally posted by joyce


    i've heard of .htaccess all the time. actually...how to make use of it?? i have totally no idea how to do it...can explain a bit?

    Here is a quick and easy tutorial on the usage of .htaccess.

    How to protect your files/directories with passwords or restrict access to your site to specific domains.

    Apache uses Basic HTTP Authentication -- limit access to your site using passwords.

    Using this type of authentication, access to a directory is controlled by password. When a request is made for a certain directory, the Web server returns a 401 status header along with a WWW-Authenticate response headers. which implies that authentication is required to access the URL. At this point, a Web browser dialog box appears, asking the user to enter a user name and password. Once the user enters the required user name and passowrd, the browser sends the user name and password along with the previous URL request to the server. The server checks to see if the user name and password are valid. If they are valid, the server returns the requested page. If the user name and password are invalid, the server responds with a 401 status and sends the same WWW-Authenticate response header.

    Two files need to be created, .htaccess and .htpasswd.
    The .htaccess file contains the information describing the type of authentication being used.
    The .htaccess file must be inside the folder you are protecting.
    The .htpasswd file is referred in .htaccess file and contains the usernames and passwords allowed to access the site.
    The .htpasswd file must be outside the folder you are protecting; preferably in the /home/ [username] folder (outside the www folder).

    example of .htaccess:

    AuthName "acurra private site"
    AuthType Basic
    AuthUserFile /home/acurra/.htpasswd
    <Limit POST>
    require user acurra
    </Limit>

    To create the .htpasswd file outside of the www folder:
    Go to /home/acurra/ and type in the following at the $ prompt:
    $ htpasswd -cm .htpasswd username you chose in you .htaccess file
    (press "Enter" on your keyboard)
    New password: enter your password here
    (press "Enter" on your keyboard)
    Re-type new password: reenter your password here again
    (press "Enter" on your keyboard)


    The folder and its contents are now password-protected.

    Hope this helps.
    Happy programming
    acurra79

  7. #7
    Join Date
    Nov 2001
    Location
    Malaysia
    Posts
    23
    Rep Power
    0
    thanks for the info. just like to make myself clear. correct me if i'm wrong.

    all the .htaccess file is same? (ur eg) and if we put it in the config folder for eg. it will protect the database information. if other ppl try to access tat folder, they will have to key in the correct user name and password??

    or can say the htaccess is just a file storing the username and some error mesg if the username is wrong??

    have to create the .htpasswd using ssl?? no other choice?

  8. #8
    Join Date
    Dec 2001
    Location
    kl
    Posts
    11
    Rep Power
    0
    Originally posted by joyce
    thanks for the info. just like to make myself clear. correct me if i'm wrong.

    all the .htaccess file is same? (ur eg) and if we put it in the config folder for eg. it will protect the database information. if other ppl try to access tat folder, they will have to key in the correct user name and password??

    or can say the htaccess is just a file storing the username and some error mesg if the username is wrong??

    have to create the .htpasswd using ssl?? no other choice?
    when a particular folder (e.g. config) is protected with htacess, outsider cannot access that folder unless they provide the correct username and password.

    No the htacess is NOT for storing username and password, username. For error message when username or password is strong you can have a custom 401 Unauthorized - Logon failed page.

    Thought that htpasswd is created when a new user is created. Not very sure???

    Happy programming
    Acurra

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. How's Secure Your Web Hosting?
    By mizan in forum Paid Hosting Discussion Forum
    Replies: 30
    Last Post: 06-05-2010, 09:01 PM
  2. JSP is more secure?
    By lcf in forum Website Programming
    Replies: 16
    Last Post: 11-06-2004, 06:23 PM
  3. Secure or not? Your opinion...
    By sufyan in forum Mamak Stall
    Replies: 14
    Last Post: 02-04-2004, 10:51 AM
  4. Is Linux Really More Secure Than Windows?
    By sufyan in forum Mamak Stall
    Replies: 2
    Last Post: 22-01-2004, 11:22 AM
  5. Building Secure Web Applications
    By sufyan in forum Mamak Stall
    Replies: 1
    Last Post: 25-10-2003, 09:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Search Engine Optimization by vBSEO 3.5.0 RC1 PL1

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31