Results 11 to 20 of 38
-
30th Dec 2009, 01:49 PM #11Member
KeePass is amazing! ^^^
-
30th Dec 2009, 02:00 PM #12MemberWebsite's:
donotclickme.comthx for the tips.& i wud say ,just never trust everyone.
"Advertising may be described as the science of arresting the human intelligence long enough to get money from it."
Stephen Butler Leacock (1869-1944)
-
30th Dec 2009, 02:12 PM #13MemberWebsite's:
eih.bz pornDDL.me sexytattoochicks.tumblr.comMy tips:
- Hide your index.php in the dir non-accessible for others.
- Use keyscrambler addon for Firefox.
- DON'T SAVE PASSWORDS IN FF.
- Every time you leave your pc, do CTRL + SHIFT + DEL to clear your passwords etc.
Litewarez, explain this please:
- Sucure any private directories by ip whitlist
- In php always secure your inputs with mysql_real_escape_string
-
30th Dec 2009, 02:22 PM #14MemberWebsite's:
Rapidimg.orgKeep your code secure against intruders. In this article we provide examples of SQL injection attacks and how you can write code to prevent them. Stop people from getting information from your database.
In an XSS attack, the attacker tries to use client-side methods of injecting client-side script and then high-jacking a user's session. Now, we're going to provide some examples of a server-side attack where an intruder will try to obtain information from within your database. After the examples, we will go through methods of securing your code against these types of attacks.
SQL injection attacks take advantage of code that does not filter input that is being entered directly into a form. Susceptible applications are applications that take direct user input and then generate dynamic SQL that is executed via back-end code. For example say you have a logon form that accepts a user name and password. Once authenticated against the database, the application then sets a session value, or some other token for allowing the user to access the protected data.
Take a logon form for example, here you have two basic form elements, a textbox for accepting a user name, and a password box for the password.
Code:<form action="myscript.aspx"> <input type="textbox" name="username"> <input type="password" name="password"><br/> <input type="submit"> </form>
Then in the code behind:
Code:Dim SQL As String = "SELECT Count(*) FROM Users WHERE UserName = '" & _ username.text & "' AND Password = '" & password.text & "'" Dim thisCommand As SQLCommand = New SQLCommand(SQL, Connection) Dim thisCount As Integer = thisCommand.ExecuteScalar()
Now with that code in the previous example, suppose someone entered the following string into your username text box:
' or 0=0 -- The apostrophe will close the username value being sent to the SQL query, then pass another argument to the SQL query, after the last argument it then comments out the rest of the query using the "--". Since the second argument they entered into your texbox is an "or" statement, the first check on the user name doesn't matter, and since 0 is always going to equal 0 the script will execute successfully and return a positive logon. Guess what? Your intruder now has access to your application.
Ok so maybe they can logon into your application, but what else can they do? Let's take another example of SQL injection, as in the previous example of using the apostrophe to terminate the value, and proceed on to another argument, lets do this, but using something that can really ruin your application's data and day:
'; drop table users -- Definitely something that can ruin your day. Of course this type of an attack you'll probably notice pretty quick. Other SQL commands can then be entered to determine your database's structure, and return all user names and passwords from the database. You make it even easier for the attacker if you do not provide some ambiguous error message and provide the error message returned from .NET. This error message can provide critical information they need to determine what to enter in your form in order to obtain information.
SQL Injection Prevention
One method of preventing SQL injection is to avoid the use of dynamically generated SQL in your code. By using parameterized queries and stored procedures, you then make it impossible for SQL injection to occur against your application. For example, the previous SQL query could have been done in the following way in order to avoid the attack demonstrated in the example:
Code:Dim thisCommand As SQLCommand = New SQLCommand("SELECT Count(*) " & _ "FROM Users WHERE UserName = @username AND Password = @password", Connection) thisCommand.Parameters.Add ("@username", SqlDbType.VarChar).Value = username thisCommand.Parameters.Add ("@password", SqlDbType.VarChar).Value = password Dim thisCount As Integer = thisCommand.ExecuteScalar()
So if you wanted to do the authentication via a stored procedure, it may look like the following:
Code:Dim thisCommand As SQLCommand = New SqlCommand ("proc_CheckLogon", Connection) thisCommand.CommandType = CommandType.StoredProcedure thisCommand.Parameters.Add ("@username", SqlDbType.VarChar).Value = username thisCommand.Parameters.Add ("@password", SqlDbType.VarChar).Value = password thisCommand.Parameters.Add ("@return", SqlDbType.Int).Direction = ParameterDirection.ReturnValue Dim thisCount As Integer = thisCommand.ExecuteScalar()
Finally, ensure you provide very little information to the user when an error does occur. If there is database access failure, make sure you don't dump out the entire error message. Always try to provide the least amount of information possible to the users. Besides, do you want them to start helping you to debug your code? If not, why provide them with debugging information?
By following these tips for your database access you're on your way to preventing unwanted eyes from viewing your data.
-
30th Dec 2009, 11:52 PM #15OPMemberWebsite's:
litewarez.net litewarez.com triniwarez.comWell IP Whitelisting is only allowing certain ip's to be able to access a certain are
so for instance lets say you have too folders
- Admin
- Includes
Well you NOBODY but you need to access these folders so you can create a htaccess file to deny access to anyone with an ip that is not in the list!
This is done by adding a htaccess file to that directory with these contents
Code:AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Litewarez authorized area" AuthType Basic <LIMIT GET> order deny,allow deny from all allow from X.X.X.X allow from X.X.X.X </LIMIT>
just replace teh X's with your ip
MySql Escaping (mysql_real_escape_string)
mysql_real_escape_string escapes data inputted by the browser so lets look at this sql example
PHP Code:$sql = "SELECT * FROM admins WHERE admin_username = '{$_POST['username']}' AND admin_password = '{$_PSOT['password']}'"
I logged in with Username: Litewarez and Password: Litewarez
Heres how it will look
Code:SELECT * FROM admins WHERE admin_username = 'Litewarez' AND admin_password = 'Litewarez'
I logged in with Username: Litewarez' OR '1'='1 and Password: Litewarez' OR '1'='1
lets see how the string is constructed now?
Code:SELECT * FROM admins WHERE admin_username = 'Litewarez' OR '1'='1' AND admin_password = 'Litewarez' OR '1'='1'
but if i used mysql_real_escape_string on every $_POST then it would add a \ to every ' and the backslash means that thats a literal char and it will not affect the sql string structure and it will check for an admin that actually has a ' in his username or passwordJoin Litewarez.net today and become apart of the community.
Unique | Clean | Advanced (All with you in mind)
Downloads | Webmasters
Notifications,Forum,Chat,Community all at Litewarez Webmasters
-
31st Dec 2009, 12:06 AM #16OPMemberWebsite's:
litewarez.net litewarez.com triniwarez.comWhoo's idea for RoboForm and using random passwords is REALLY GOOD. this helps avoid keyloggers and if you got shit memory its a ++ all round!
Also these systems remember passwords for domain and domain dir witch is extremely useful as if you happen to go on a fishing domain like faceboook.com or summat like that it wont add the passwords to the form as this is not the domain they was saved from!Join Litewarez.net today and become apart of the community.
Unique | Clean | Advanced (All with you in mind)
Downloads | Webmasters
Notifications,Forum,Chat,Community all at Litewarez Webmasters
-
31st Dec 2009, 10:14 AM #17Member
First Step Should Be Change Your Passwords
Admin and global mod Passwords, host client area password, cpanel and ftp password
[also check admin accounts if email id is changed]
Next Step Change Database Name and User
just import the previous db in the new one..
Optional: Protect AdminCP and ModCP Directories
Delete and Upload Fresh vBulletin [or wichever script u are using] Again
-
31st Dec 2009, 03:30 PM #18Member
don't use nulled scripts
-
31st Dec 2009, 03:41 PM #19Member
-
31st Dec 2009, 03:42 PM #20Member
Some things:
Do not use the same passwords
Dont tell no one know your passwords for anything on the web ( ie via pm or w.e )
keep everything up to date.
Never use nulled scripts ( get them from trusted nullers only)
Never download anything you are un-sure about if you are not sure use VirusTotal.com and scan it to see if it is infected.
Dont let people have access unless you are sure you can really trust them.
Alot of it is common sense really..It's amazing, being in a community can cause hate. Competitors or not - DDOS isn't cool :)
Sponsored Links
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Similar Threads
-
Defendos Security - Official Thread
By l0calh0st in forum Web Development AreaReplies: 40Last Post: 31st Oct 2012, 03:54 PM -
Hosting Tutorials,Tips,Security,General | PhotonServers
By ChosenOne in forum Useful SitesReplies: 9Last Post: 20th May 2010, 10:10 AM -
Hosting Tutorials,Tips,Security,General | PhotonServers
By Raptile in forum Useful SitesReplies: 14Last Post: 19th May 2010, 06:07 PM -
[LE] PhotonServers.NET | Hosting Tutorials,Tips,Security,General
By Raptile in forum Traffic Market (Buy, Sell and Trade)Replies: 9Last Post: 14th May 2010, 06:11 AM -
Security Tips
By sniper in forum Webmaster DiscussionReplies: 6Last Post: 11th Feb 2010, 10:28 AM
themaRegister - register to forums...
Version 3.39 released. Open older version (or...