Member Avatar for mattyd

I am about to begin protecting a yet to be launched site againt injection attacks.(And other possible attacks)

I am making use of a large database and must fortify this fully.

I am researching this but am here to pose the question: What should my main concerns be? Please be kind enough to list these.

I need to be aware of all vulnerabilities. I do not want my DB tampered with or dumped.

Please post links so I can study this more and prepare my defenses before anything goes live.

Note: I have a form which will allow user input - What do I need to be cautious of, specifically?

Any help or further points in the right direction will be greatly appreciated!

Thank you in advance.

Matthew

  • 3 Contributors
  • 3 Replies
  • 135 Views
  • 16 Hours Discussion Span
  • Latest Post Latest Post by JorgeM
Member Avatar for GliderPilot

Never assume you know what the user will input. Check user input before doing anything with it to make sure it is what you expect it to be (I use regex expressions for this).

If you're using PHP I highly suggest the use of prepared / parameterized mysqli queries. Using a prepared statement will go a long ways at eliminating an SQL injection attack. You can do some reading on this here: http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

commented: Thank you! +7
Member Avatar for mattyd

Thank you, GliderPilot.

Member Avatar for JorgeM

Just to add...

Check user input before doing anything with it to make sure it is what you expect it to be (I use regex expressions for this).

Even if you check it client side using JavaScript, check it again server side as well.

To mitigate some of the issues that come along with user input, try using as many controls as you can that limit free-form input such as dropdowns, checkboxes. If you do use input elements of type text, limit the number of characters this element will allow for input.

Most importantly, check the input server side.

With regards to getting information into your database, as GliderPilot suggests, use parameterized queries. This will treat the user input as literal text and mitigate common sql injection issues.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.