Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: PHP
I am busy writing a small website and recently saw a friend's website that was hacked and all HTML codes changed. I was wondering how this could be prevented? Is there any way in PHP to make sure hackers cannot change your content or code? I know that HTML code cannot be hidden from the users of the internet but I would like to know how I can prevent hackers from hacking my website and changing my content.
 
All help will be greatly appreciated.
 
Thanks in advance,
Chris
Posted 22-Apr-13 6:40am
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

  Permalink  
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

PHP code is on server side, so it is totally hidden from the user; and HTML is on client side, so it is fully opened, as it is fully delivered to the client, once the client can see the page. In both cases, the user cannot modify the content.
 
You don't need anything to "protect" content. Even though some security vulnerabilities on the server may exist, they are not related to your Web application; your hosting provider is responsible for those issues; and you cannot help it or make it worse.
 
Above, I was talking only about modification of your Web site page. It does not mean that you cannot create any number of security problem by bad programming itself. The idea is very simple. You potentially open up a door to some exploit when you process your HTTP request with PHP the way which really needs to modify some content. For example, your code may need to create some new file on the server side, modify a database, send a mail messages. Why can it be dangerous? Because you might assume that HTTP request does something legitimate, just because the context of the request is limited by your Web form or JavaScript you have written. You should never assume that. HTTP request can contain anything at all. The malicious artist does not have to act as a user of your site. It's really easy to fabricate any request directly. This request ask to can create a delete some files you never meant to, it can inject some mail header to turn your server host into a zombie sending spam, it can use SQL injection to screw up your database, and a lot more.
 
This is a nice example: http://xkcd.com/327/[^].
 
For other cases, please see my past answers on injection methods:
hi name is not displaying in name?[^],
EROR IN UPATE in com.ExecuteNonQuery();[^],
unable to send mail , it showing the error in below code .[^].
 
How to learn safe programming? First of all, you need to learn how HTTP and Web work; your question reveals that at this time you have a very vague understanding of it. Everything else is pure logic. If you understand what can come in and what's goes out, you will be able to sanitize all possible HTTP request to limit them only to a legitimate cases. Also note that most of the server-side processing is read-only, so you should focus only on the cases when your server-side code really needs to modify something or produce some side effects, in addition to usual HTTP response.
 
—SA
  Permalink  
Comments
Christopher Smit at 22-Apr-13 13:03pm
   
What I meant was.. My friend had made a site and a hacker by the name of fiofa fado or something like that had hacked the site and changed the content of the page.. He deleted all script files and created new ones only keeping some of the files and modified it.. I am wondering how he did this as we have to rebuild the entire website and the client is not happy about what happened.. On the hacked site the hacker left us a simple message stating that we should implement better security on our website.. I have read that content can be hacked and source is changed where hidden links are added to redirect an unsuspecting user to another page rewarding the hacker for his "referral".. A genius move, but a headache for me.. This particular hacker has hacked three of our published sites.. So I want to know how he is doing it an how I can prevent him from doing it again..
 
Regards,
Chris
Sergey Alexandrovich Kryukov at 22-Apr-13 13:27pm
   
You don't know what exploit was actually used. I could be a vulnerability not related to your site, but the Web hosting. As to the security of the site's content, I gave you the main ideas. Who can tell you more, without even looking at your code?
 
As I say, you should start with learning how HTTP really works, as right now you are not clear about it. When you do, review my considerations again. And I think you can accept the answer formally (green button)...
 
—SA

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



Advertise | Privacy | Mobile
Web02 | 2.8.1411022.1 | Last Updated 22 Apr 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100