iEntry 10th Anniversary RSS Archive

IT Management Begins With Security
SecurityProNews > Insider Reports > Insider > Google Offers Best Practices Against Hacking
Search:
[ insider_reports_insider ]

Google Offers Best Practices Against Hacking



SecurityProNews
Staff Writer
2009-02-20

SecurityProNews: Insider Reports Insider Reports RSS Feed


Security news focuses a lot on spambots and malicious material found out in the wild. But the webmaster's backyard can be an unexpectedly dangerous place with little hacker landmines buried here and there.

Google Offers Best Practices Against Hacking
Google Offers Best Practices Against Hacking

Google's Webmaster Central blog talks about the two most common attacks resulting in hijacked websites: SQL injection and cross-site scripting (XSS).

An SQL injection involves inserting malicious code in a web application to exploit a security vulnerability at the database level. These are especially dangerous because they can allow hackers to manipulate URLs, search, login, and email registration to their liking. Cross-site scripting places malicious code on the webpage itself via security vulnerabilities in web applications.

For preventing SQL injections, "it's a good practice to add a layer between a form on the front end and the database in the back end. In PHP, the PDO extension is often used to work with parameters (sometimes called placeholders or bind variables) instead of embedding user input in the statement. Another really easy technique is character escaping, where all the dangerous characters that can have a direct effect on the database structure are escaped. For instance, every occurrence of a single quote ['] in a parameter must be replaced by two single quotes [''] to form a valid SQL string literal."

For preventing XSS exploits, Google recommends:

· Stripping the input that can be inserted in a form (for example, see the strip tags function in PHP);
· Using data encoding to avoid direct injection of potentially malicious characters (for example, see the htmlspecialchars function in PHP);
· Creating a layer between data input and the back end to avoid direct injection of code in the application.

There's a ton of other good information in that post, including how to use the search engine detect hidden keywords placed on a site by spammers.


About the Author:
SecurityProNews is a daily online and email publication focusing on internet security issues.

More insider_reports_insider Articles

SecurityProNews: Insider Reports Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - $line) { echo $line ; } ?> All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds