How to secure our website 1.

Use encode url id and password using base64_encode($string);-to encode any string base64_decode($string);-to decode any string 2.use mysql_real_escape_string();-to insert the data 3.use addslashes($string);-to add slashes to the string

http://www.docstoc.com/docs/120045604/Project-Report-on-Hacking-Attacks

function cleanQuery($string){ if(get_magic_quotes_gpc()) // prevents duplicate backslashes { $string = stripslashes($string); } $badWords = array("/delete/i", "/update/i","/union/i","/insert/i","/ drop/i","/http/i","/--/i"); $string = preg_replace($badWords, "", $string); if (phpversion() >= '4.3.0') { $string = mysql_real_escape_string($string); } else { $string = mysql_escape_string($string); } return $string; }

$badWords = array("/delete/i","/deleted/i","/deletee/i", "/update/i", "/updateu/i", "/updateup/i","/union/i","/unionu/i","/unionun/i", "/insert/i","/inserti/i","/insertin/i","/drop/i","/dropd/i","/dropdr/i","/http/i","/httph/i"," /httpht/i","/--/i", "/url/i", "/urlu/i", "/urlur/i", "/true/i", "/truet/i", "/truetr/i", "/false/i", "/falsef/i", "/falsefa/i","/!=/i","/==/i", "/insurance/i", "/eating/i", "/viagra/i");

$text3 = preg_replace($badWords, "a12", $text2); if($text3 != $text2){

echo "<center><b>No valid data!</b></center> <meta httpequiv=\"refresh\" content=\"2; URL=http://www.mysite.de\">"; exit; }

<?php /*

Copyright (C) 2011

Joo Dias de Carvalho Neto

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ require_once 'MyConfig.php'; class DBConnection { /*** * Get an instance of Mysql Connection */ private function getConnection() { try { $ret = mysql_connect(MyConfig:: $DB_HOSTNAME, $DB_PASSWORD); $ret); MyConfig::$DB_USERNAME,MyConfig:: mysql_selectdb(MyConfig::$DB_NAME,$ret); mysql_set_charset(MyConfig::$DB_CHARSET, return $ret; } catch (Exception $e) { throw new Exception($e->getMessage(), $e-

>getCode());

/*** * Method to prevent SQL Injections */ public static function preventSQLInjection($string) { if(get_magic_quotes_gpc()) // prevents duplicate backslashes { $string = stripslashes($string); } if (phpversiolinesn() >= '4.3.0') { $string = mysql_real_escape_string($string); } else { $string = mysql_escape_string($string); } //If are so dummy and still wants keep root as user in mysql //preg_replace should help you in a possible SQL injection attack $badWords = array("/delete/i", "/update/i","/union/i","/insert/i", "/drop/i","/http/i","/--/i"); return preg_replace($badWords,"", $string);

public function executeQuery($sql) { try { $ret = mysql_query($sql,$this>getConnection()); if ($ret==false) { throw new Exception(mysql_error(), '00'); } $rst = array(); $i = 0; while ($row = mysql_fetch_array($ret,MYSQL_BOTH)) { $rst[$i] = $row; $i++; } return $rst; } catch(Exception $e) {

>getCode()); } }

throw new Exception($e->getMessage(), $e-

/*** * Method to simplify a check SQL Statement */ public function checkIfExists($field, $table, array $values) { //Mount the base Query SQL Statement $sql = " SELECT $field FROM $table WHERE 1=1 "; //Search for an array contenting a relation of Field -> Value for ($i = 0; i <=count($values)-1;$i++) { $f = DBConnection::preventSQLInjection($values[$i]['field']); $v = DBConnection::preventSQLInjection($values[$i]['value']); $sql .= " AND $f=$v "; } try { >getConnection());

$ret = mysql_query($sql,$this-

if ($ret==false) { throw new Exception(mysql_error(), '00'); } return count(mysql_fetch_array($ret)) > 0; } catch(Exception $e) { throw new Exception($e->getMessage(), $e} } ?> }

>getCode());