hi there,

can u guys give me some suggestions on how to make my system more secure.

for eg. i'm going to develop a shopping cart, wat am i suppose to take note in order ppl won't easily hack??

thank you for all your suggestions/opinions..

Ermm lots of thing:

1. Ensure of SSL . Then get cert from qualified SSL cert awarding.
2. Always double check where the data came from using $HTTP_SERVER_VARS[HTTP_REFERER];

3.Don close your code, give a try to your close friend.
4.Put database connectivity in .htacess , don't hard coded it in config file.
5. Only allow ssh telnet from allowed host.

1. where can i get the cert? any url u can show me or i can find more info about it??
2. how to put my databaseconnectivity in .htaccess? any eg, can show me?

Also beware of the coding, esp your SQL statement.
Having SSL enabled, doesn't promise that your site is hack proof as SSL only apply at the transportation layer.

I encountered many e-commerce sites (Malaysia esp) which claimed to be secure because of SSL but always fail to maintain good programming pratices. They are very vulnerable to attacks right from user login to their payment payment gateway. Attacks such as SQL injection or DOS can be easily performed on this so called secure sites.

As mentioned, good pratices include putting your db connectivity at .htaccess, double check your HTTP_REFERRER and disable your SSH port (port 23, I think).

Happy programming!
acurra79

i've heard of .htaccess all the time. actually...how to make use of it?? i have totally no idea how to do it...can explain a bit?

Here is a quick and easy tutorial on the usage of .htaccess.

How to protect your files/directories with passwords or restrict access to your site to specific domains.

Apache uses Basic HTTP Authentication -- limit access to your site using passwords.

Using this type of authentication, access to a directory is controlled by password. When a request is made for a certain directory, the Web server returns a 401 status header along with a WWW-Authenticate response headers. which implies that authentication is required to access the URL. At this point, a Web browser dialog box appears, asking the user to enter a user name and password. Once the user enters the required user name and passowrd, the browser sends the user name and password along with the previous URL request to the server. The server checks to see if the user name and password are valid. If they are valid, the server returns the requested page. If the user name and password are invalid, the server responds with a 401 status and sends the same WWW-Authenticate response header.

Two files need to be created, .htaccess and .htpasswd.
The .htaccess file contains the information describing the type of authentication being used.
The .htaccess file must be inside the folder you are protecting.
The .htpasswd file is referred in .htaccess file and contains the usernames and passwords allowed to access the site.
The .htpasswd file must be outside the folder you are protecting; preferably in the /home/ [username] folder (outside the www folder).

example of .htaccess:

AuthName "acurra private site"
AuthType Basic
AuthUserFile /home/acurra/.htpasswd
<Limit POST>
require user acurra
</Limit>

To create the .htpasswd file outside of the www folder:
Go to /home/acurra/ and type in the following at the $ prompt:
$ htpasswd -cm .htpasswd username you chose in you .htaccess file
(press "Enter" on your keyboard)
New password: enter your password here
(press "Enter" on your keyboard)
Re-type new password: reenter your password here again
(press "Enter" on your keyboard)


The folder and its contents are now password-protected.

Hope this helps.
Happy programming
acurra79

thanks for the info. just like to make myself clear. correct me if i'm wrong.

all the .htaccess file is same? (ur eg) and if we put it in the config folder for eg. it will protect the database information. if other ppl try to access tat folder, they will have to key in the correct user name and password??

or can say the htaccess is just a file storing the username and some error mesg if the username is wrong??

have to create the .htpasswd using ssl?? no other choice?

when a particular folder (e.g. config) is protected with htacess, outsider cannot access that folder unless they provide the correct username and password.

No the htacess is NOT for storing username and password, username. For error message when username or password is strong you can have a custom 401 Unauthorized - Logon failed page.

Thought that htpasswd is created when a new user is created. Not very sure???

Happy programming
Acurra