How to protect the website from breaking?
the Internet win Today the increasing and great popularity, and the word “website“ was strongly included into our lexicon.
The last time for the handle with this word two more constantly go is “development“ and “advance“. And there is no wonder, under a press of improbable number of various offers in rendering services in development and advance of the websites in a brain of the ordinary user these two concepts took roots as only deserving attention at start of online project.
But there is one more word without which neither creation, nor advance, nothing will have sense at all if you create the serious project. Moreover, if you neglect this word, your affairs can be much worse, than it was earlier.
It is about safety, and not about physical safety of the computer on which your website is stored, of which, of course, too it is worth taking care, and of safety on the Internet.
It is difficult to overestimate importance of safety issues of your website if important data are stored in its database. So, for example, it is difficult to imagine that the head of IT - department in any large bank in which database numbers of credit cards of his clients and other important information are stored will be able quietly to sleep at night if the day before to tell him that the website of bank for which that bears responsibility is not protected properly and it can be cracked within an hour a little - malsk by the clever burglar.
And often all quite so! Moreover, even the website code protected by special functions, the database limited to permissions to access to information and the employee who is responsible for safety of your data with a high salary not always will be able to guarantee you absolute protection. For this reason that then was not excruciatingly painful, it is necessary to organize system of data protection extremely carefully.
In this article I will touch upon a protection subject from, perhaps, the most widespread method of breaking of the website - SQL - an injection. For a start we will decide that one and all modern volume, difficult websites are under construction on the basis of the database.
Work with the data which are stored in the database of your website is carried out by means of structural language of inquiries of SQL. SQL - an injection - technology of introduction in initial SQL - inquiry of the certain code which is not breaking structure of the inquiry for the purpose of receiving access to the data which are contained in a DB.
The possibility of introduction of SQL - an injection arises owing to insufficient check of the values accepted from the user. Introduction of SQL - an injection, depending on type of the used DBMS and conditions of introduction, can give the chance attacking to execute any inquiry to the database - for example, to read contents of any tables, to remove, change or add data, to have an opportunity of reading and/or record of local files and performance of any teams on the attacked server.
The majority of SQL - injections is applied in forms of input, such as registration of the user, a subscription, the order of goods etc. But you should not be mistaken about the fact that it is only about visible forms of input. Very often for penetration of the SQL code - an injection website URL is used. Thus, if your website is not protected from penetration in any way, the burglar without effort will be able to try keys to your database and to obtain any information which is stored in it.
So, we will pass directly to methods of protection your website from SQL - an injection:
1. do not trust data which are entered by the user into a form on your website. All these data need to be checked for existence in them of a malicious code. For this purpose, in - the first, it is worth limiting length of fields where it is possible. For example, for the line “Name“ there will quite be enough 10 symbols.
Process special functions all data obtained from the user. When using PHP the mysql_real_escape_string functions () (shields slashes the forbidden type symbols‘,“) will suit here, to Htmlspecialchars () (will transform the descriptors forbidden html). Also here it is possible to check type of the entered values, for example, by means of intval () for numerical values.
2. Limit users in the rights for access to the database. The user will have less rights, the less harm will be in case of introduction of SQL - an injection.
3. the Principle of introduction of SQL - an injection is that the burglar guesses structure of your inquiries to a DB, selects possible names of tables and columns of this base and on the basis of the obtained information takes data. So, for example, trying to get access to the table of passwords of your database, it will select pass, password, users names etc. Therefore, hardly he will manage to take information from this table if you call it “aslfjsaf“. However this method too radical as will complicate work with a DB personally to you - from - for not informational content of names.
The methods of protection considered in this article will help you to secure the website against burglars, however in the conditions of the real project you should not be limited at all to them as this article has only fact-finding character and cannot tell about all ways and methods of data protection.
The main thing that you need to understand, is an importance of safety issues of your website, it is impossible to forget about it at all. Trust protection of your website to professionals and sleep peacefully!