Computer Helper In Michigan

I’m not at all surprised to read that 70% of the websites available on the web could be hacked by one means or another. This isn’t at all surprising to me, as I used to work for a web development firm that could care less about form security. Just get the site up for the customer and get paid - if they got hacked, the boss figured that would be another $75 per hour job he could take care of. Didn’t sit well with me, so he said, “You don’t fit in [with me].”, so I stayed another two weeks and quit.

So how does someone hack a site, you may ask. Well, I’m no expert on this, yet, but I have learned that when programming in PHP, you should always use htmlspecialchars on your form values being posted from a form, before sending it off to your database or redisplayed to your screen. Basically, its when that information is redisplayed, there is a way to fool the web server, through the use of certain escaped characters I believe, to start running the output as code!

For example, lets say you enter your name and email address, and other information in a form, and hit submit. The next page might be a page that says, “Here is what you entered… click Save to continue”. And sure enough, if there wasn’t any filtering going on, a hacker could easily do a form injection attack and start sending mail from your mail server, or in a worse case, tamper with your site and even get root access.

A friend told me about a security information site that teaches you how to hack, through a podcast. The author, Dan Kuykendall, an Internet security specialist, even provides a website “lab” that you can test with, as he talks about the techniques, step by step. To my knowledge, nothing else like this exists! It looks like he’s started doing this series starting in August of 2006, and the first tutorial is about XSS - Cross Site Scripting (which I just recently found a filtering routine for that I put on a client’s site). Here’s the link to the security tutorials.

This article sponsored by: