Location: PHPKode > projects > Modular Site Manager > htdocs/tutorials/PHP-0.php
This tutorial will teach you how to prevent average hackers
from hacking your site. If you get whacked by a pro, there’s no keeping him/her
out. They would use vulnerabilities in PHP itself to get in, and there’s no
sealing those unless you patch the code and recompile it yourself, and if your
in a shared environment, that’s next to impossible.

First of all, to make your passwords and such secure, you must create a hashing function. This can (and will in this tutorial) use several hashing functions that are included in PHP, such as MD5, SHA1, crypt, or any other you'd like. To make things secure, create an extremely long hash string to append to the passwords. Here’s an example function:

function hashpass($pass)
	$ret = md5("someuberlongpeiceoftextthathasnospacesandlotsofnumbers123654574534534674562".$pass);
Now this applies to a member system of course, if you
didn’t figure that out already.

To make things secure for MySQL stuff, use define() instead
of regular variables so nothing can be overwritten when connecting to MySQL or
opening a file. Here’s what I recommend:

// define SITE_PATH (case sensitive!) to the path of your home
define("SITE_PATH", "/home/myuser/public_html/");
// define MYSQL_USER (still case sensitive) as your MySQL username.
define("MYSQL_USER", "root");
// same as above, but the password
define("MYSQL_PASS", "mysupersecretpass");
Also using the SITE_PATH constant, it allows you to change what directory your site is in in a hurry :) Mainly useful if you change host and have new username, or switch from a Linux server to a Windows server, or vice versa.

This is also something very simple, but to make sure your
code works on all servers, use &lt;?php instead of just &lt;? (longhand vs. shorthand). This allows your code to run on servers that doesn’t have short-tags enabled.

Another thing that adds quite a bit of security is making it so SQL injection is near impossible.
foreach($_POST as $key => $var)
	$_POST[$key] = addslashes($var);
foreach($_GET as $key => $var)
	$_GET[$key] = addslashes($var);

What this does is cancel out any kind of cancellation they try to do. Like if they try turning (\$_GET['user'] is set to the real thing in this case, like bob.
$user = $_GET['user'];
mysql_query("SELECT * FROM thistable WHERE username='".$user."'");

into (the user tries hacking through \$_GET['user'] by setting it to "' OR group='admin"
$user = $_GET['user'];
mysql_query("SELECT * FROM thistable WHERE username='".$user."' OR group='admin'");
Thus giving them admin privileges, and we all know that would be a very bad thing.

Also if you end up using cookies, and you store the password in one of them, it’s not a bad idea to DOUBLE HASH IT. That way they'd have to go through all the hashing twice, and doing that would frustrate any hacker, because cookie data is hashed by the browser in the first place.
Another good security step is to create a more secure include function that checks to see if there was an attempt to hack it and include a file you don’t want the user to include.
function secinc($inc_file)
	global $REMOTE_ADDR;
	if(preg_match("#^../#",$inc_file) == TRUE)
		$xpl = explode("/", $inc_file);
		$fname = str_replace(array("..", "..."), ".", implode(".", $xpl));
		$fp = fopen(SITE_PATH."logs/hacking.".$fname.".log", "a");
		$d = date("n-j-Y, g:i A");
		$t2w = $d.", IP: ".$REMOTE_ADDR.", String: ".$inc_file.".\n";
		fwrite($fp, $t2w);
		mail("hide@address.com", "HACKING ATTEMPT!", $t2w, "FROM: hide@address.com");
		return false;
	} else {
		return include(SITE_PATH."include/".$inc_file.".inc.php");
This makes it so that the only files that can be included have the extension ".inc.php" and are in your includes folder, thus making it impossible to include anything else. Also it checks to see if the string "../" is in the file name. What "../" does is move to the directory 'below' the current one. So it's impossible to go into any directory you don't want them to. You could also check for a '/' so they can’t include anything in a directory above includes, but most likely that shouldn’t hurt anything, unless there's a file you don't want them to access, but then you could easily move that/those file(s) into a different directory.

This function also emails you when there is an attempt to hack it, and also logs it so you can review it later. I'll be writing a tutorial soon on making an error and hacking log system.

That about wraps things up. If you have any questions, or wish to add more to this, use the comment system below :)
Return current item: Modular Site Manager