Jump to content
  • Advertisement
Sign in to follow this  
LLGamer59

[web] General question on security

This topic is 4235 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hello all: I am in the midst of considering moving my hobby project into the commercial realm. I have very little web design experience, and have a small Yahoo-hosted website that I have not publicized yet. My concerns are over security. While not asking any specific question (because I'm too green for that), are there pointers to places to start my education about web security issues in web design? I plan to offer downloadable games and developer packs, and need to get up to speed on anti-hacker measures. Any links or pointers would be greatly appreciated!

Share this post


Link to post
Share on other sites
Advertisement
Hah! You want a specific answer without asking a specific question! The greener you are the more questions you should have! Seriously though, I know what your asking and, without getting too specific, what's the environment you're working in? What language(s) are you using and/or have available? Who's in charge of your server(s)? What's your root password?

Share this post


Link to post
Share on other sites
Quote:
Original post by Mage2k<snip>Who's in charge of your server(s)? What's your root password?


LOL! Looking for a real newbie. I wouldn't post your root password here. Just saying.

Share this post


Link to post
Share on other sites
Oh, ok, my root password is rov...hey, wait a minute. I guess that is lesson #1. :)

I'm working with a Yahoo hosted web page, using straight html and some php. I intend to host the normal spectrum of features, with articles, a forum and downloadable zips containing the game components and development tools.

None of the games will be online, so I don't need any game servers. Just a straightforward site, although I would like the ability for registered users to upload and share game mods.

As I said, I don't have specific questions, but am more looking for a starting point - a site that discusses security issues and concerns, and maybe compares some different approaches.

Any pointers to places that people have found useful would be appreciated. Thanks!

Share this post


Link to post
Share on other sites
Here's some advice:

1) If you install a content management system of a forum for your website, you *must* keep it up-to-date. Always upgrade as soon as new versions come out. This also means taking care of plugins. Some CMS systems have very nice plugin systems where you can easily upgrade the base software without causing conflicts (Mambo, Joomla). Other software doesn't, so in these cases you should install as few plugins as possible and don't make changes to the code. If you have to, generate and maintain proper patches for them.

2) If you write your own website software, be sure to have other people look at the code. More eyes == less bugs.

Share this post


Link to post
Share on other sites
Quote:
Original post by Sander
Always upgrade as soon as new versions come out.
Always upgrade as soon as new stable versions come out.
Just to prevent any confusion: many open source projects make available both a stable and a development version. For the best tested (and therefore hopefully the most secure), always use the stable version on production machines. For example, MySQL 5.0 is the stable version, although versions of 5.1 and even 5.2 are available too.

Some other pointers are difficult to give, due to the broadness of your question. You might take a look at things like 'SQL code injection' or 'Denial of Service attacks' for a general idea.

Share this post


Link to post
Share on other sites
A general principle to start off with is - don't trust the browser. Don't assume they will only submit valid data in the forms, don't assume they will only access pages which you've previously served up as links, don't assume they will access your pages in the order you expect, don't assume they'll keep information that you give them (eg. cookies), and don't assume they'll send you the same cookie that you gave them in the first place.

Therefore, minimise the data you send them, and the data you read from them. If you need to track visits or sessions, just send them a single ID and associate that with data on the server side - PHP does this for you, I seem to recall. Check everything that you get back from a form and never submit form data to a database or external library without running it through the correct sanitisation function first.

Share this post


Link to post
Share on other sites
As Kylotan said: trust nothing -- validate and sanitize everything. Sanitize anything supplied by the client before you use it. This is especially important to protect yourself from SQL injection and cross site scripting.

Some good rules:

- Cast any non-string variable from GET/POST to the expected type before using it.
$x = (int)$_GET['x'];

- Escape all input before sending it to the database.
mysql_query('select * from sometable where somecolumn = "' . mysql_real_escape_string($x) . '"');

- Escape all variables before printing them:
$url = strip_tags($_GET['url']);
echo '<a href="' . htmlspecialchars($url, ENT_QUOTES) . '">User's URL</a>';


[Edited by - SantaClaws on February 1, 2007 9:21:27 AM]

Share this post


Link to post
Share on other sites
Great! Yes, that's the sort of stuff I was looking for; basically, which bus is gonna hit me first, how hard, and how much it's gonna hurt...

I will use the issues mentioned to further my search for more potential gotchas. Any others that people have seen, or been burned by, would be greatly appreciated! And I warn you, I'll be back with more specific questions as I proceed.

Thanks again...

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!