So, for you budding, neophyte web programmers, I'll lend a few tips on how to add a smidge of decent preventative security to your site using the PHP language (though most of these are general, and thus can be ported to other server-side languages with no difficulty).

Validate and Sanitize All User Input

No-brainer. You should never trust user input (the Pessimists Theory of Security ftw?) For all you know, it contains HTML or CSS code that will screw with your site's design. Worse still, it could contain JavaScript code that can send the information to a 3rd-party through dynamic script tag placement containing, say, the information stored in your cookies (hello stored site passwords). At the absolute worst, if your server has enabled the option for PHP code inside the <script> tag (DON'T), then they can basically wipe everything from your server using command line code.

So, one way to stifle this is to sanitize user input via either the htmlspecialchars() or htmlentities() functions. Basically, they encode data that is run through them in a way that they are no longer interpreted as valid HTML data by replacing characters like "<" or ">" (htmlentities() encodes EVERYTHING) with a character code. Nothing looks different to a human, but to the browser it's no longer treated as valid HTML.

Note, it's a good idea to santize data BOTH before input into a database AND when outputting it. If your database(s) are ever compromised via SQL injection, you can at least prevent that from being used to allow XSS attacks to follow suit.

Session Timestamp

This is a pretty good way to deter massive spam from a single user. Basically, upon the request of a page, store the current seconds timestamp in a Session (probably encrypt it as well). Then, when the user has performed an action (like, submitting a form to the server), perform a server side check. What you do is once again check the current Unix timestamp (the "time()" function in PHP) and compare it to the timestamp stored in the Session via subtraction. If the difference is faster than humanly possible (which also a potential sign of a less sophisticated web bot), dump the request (and perhaps record what user did it):


<?php
session_start();

$_SESSION["timestamp"] = myEncrypt( time() ); // store current timestamp encrypted inside a session

// create form or whatever you're doing, and wait for a submission


//On submission

if(isset($_SESSION["timestamp"])){
$oldTime = myDecrypt($_SESSION["timestamp"]);
$minInterval = 10; // the minimum amount of seconds that must pass for the submission to be considered valid

if( (time() - $oldTime) > $minInterval ){

// submission was deemed human-enough, proceed

}
else{ /* Submission was too fast, throw error, print message, etc */ }


}
else{
// Session timestamp not set, dump request
}
?>

Use CSRF Tokens

CSRF tokens (Cross-Site Request Forgery) are a randomly generated string of text that is used to try and confirm that the action that is to take place was intended and done by the user intentionally and legitimately. If you didn't catch that, I'll give an example:

Create token and form

<?php
$strong = true;
$token = bin2hex(openssl_pseudo_random_bytes("23", $strong)); //create a random string as your token

$_SESSION["token"] = $token;
?>

<!-- Example HTML form -->

<form method="post" action="">
<input type="hidden" readonly="readonly" name="fToken" value="<? echo $token; ?>" />

<input type="submit" name="form" value="Post!" />
</form>

Validate token

if(isset($_POST["form"], $_POST["fToken"], $_SESSION["token"])){

if($_POST["fToken"] === $_SESSION["token"]){

//Probably valid form submission, proceed

}
else{
//Invalid submission, end code execution and throw a created error message
}

}



That's roughly how basic CSRF token validation works (usually pretty simple, so I hope you get the idea).
In fact, HullBreach's sites currently are susceptible to a type of vulnerability that these tokens would nix.

Prevent SQL Injection

Heh, by the time I got here, I was tired of typing from my phone (and the topic is somewhat long), so let it suffice to say that preventing SQL injection is VERY important for website security. Otherwise, malicious users could mess around with your database data, to the point of completely deleting entire tables of data:




A few things to do is to find a decent tutorial on either MySQLi or - for me, preferably- PDO (PHP Data Objects). Paramaterized queries and prepared statements are things to love. What the former allows you to do is set placeholders in your SQL for the supplied data to be placed in, as well as speeding up the execution of repeated SQL statements with the latter. The better style of placeholders (for readability) begins with a : and followed by a relevant word. You can then proceed to bind the supplied data to each placeholder, and even ensure that the data is of the proper type:


$user = myUsername();
$post = clean($_POST["myPost"]);

//skip PDO connection info; stored connection in the variable "$pdo"

if( $stmt = $pdo->prepare('INSERT INTO table (username,msg) VALUES (:username, :message)' ){

//proceed to bind paramters to the placeholders/data type and execute the query

$stmt->bindParam(":username", $user, PDO:ARAM_STR);
$stmt->bindParam(":post", $post, PDO:ARAM_STR);

$stmt->execute(); //executes query as specified
}




Another really great thing to do is to create another SQL user that only has the ability to UPDATE, INSERT and SELECT things from the SQL database, with other statements being accessible on another SQL user that can only be used when the currently logged in user is a confirmed Administrator. Since the SQL user cannot perform DELETE, ALTER or DROP statements (namely), the structure of your database is harder to screw with since they don't have or know the required permissions to do so.

Check this site for some tutorials on how to prevent SQL injection.

Form Honepot

The honeypot method is only likely to stop really simple, widespread spamming bots, which makes it a nice, unobtrusive addition. What it entails is creating a hidden form input that is to be left blank. When the form is submitted, the server checks if the form was filled in, which if it was, proceeds to dump the request, otherwise proceed to the rest of the security checks. Since spam bots that target lots of sites simultaneously have a habit of filling in ALL form input fields (especially if they're given a provocative name attribute, like 'email' or 'message', this trap will stop them.


<form method="post" action="">
<input type="text" name="email" value="" /> //honeypot field
<input type="submit" value="Post" />

</form>

[On server]

if(isset($_POST["email"]) && empty($_POST["email"])){
// proceed to other security checks
}






Remember, each of these measures (and other like them) are in, principle and in practice, beatable. What they do is (especially the timestamp) is make things like spamming MUCH slower and decrease the likelihood (or the very possibility) of SQL Injection.


Anyway, that's all I feel like doing right now. I hope that helps some of you.

Laters ~