Login Signup
Verified Document

Security Issues Creating A Site Research Proposal

Related Topics:
Computer Security Database Security Private Security Security
Open Document Cite Document

The loopholes that exists in the use of these technologies results in some of the worst hack attacks and security breaches ever experienced in the field of web design. The internet is bustling with a lot of activities. Some of the activities that are officiated over the internet are very sensitive due to both the nature of the information exchanged or even the information stored in the database. It is paramount that websites be provided with secure and personalized databases. One inevitable fact however is that once a site is deployed on the internet, it becomes a resource to be accessed by everyone as postulated by Kabir

Secure website development is of the utmost importance as the number of websites that provide personalized accounts and utilize cross site information. "When you deploy your application on the Web, it becomes available to everyone" (Kabir 737)

In order to fully prescribe a viable solution to be used in tackling the various forms of security threats associated with the use of trending technologies such as PHP and MySQL, it is paramount to understand the mechanisms through which the security threats are orchestrated. Below is a discussion of the general techniques employed by hackers in gaining access to different websites that are developed using the PHP and MySQL, mix

Query String Manipulation

In a query string manipulation, is a hacker passes a set of values that are passed through a browser's address bar. This form of attack appears on site that provides services of some sort. Query String Manipulation can be extremely detrimental in poorly planned and programmed website. It provides an easy access point for a hacker to gain access to the database via referred to as SQL Injection, which leads to root access to the machine and then to the subsequent access to various parts of the websites source code.

Implications

The meaning and implication of this type of attack is that the hacker gains root access to the entire computer and is he or she only gets limited the access level restrictions provided to the web server, a level which is in fact an administrative. This gives the hacker an express permission to modify and even delete files that reside on the machine. The hacker also gains access to the machine's database and all of the data that exist in the database. This is true in the case of web server and database server not being on the same machine.

The possibility of a hacker gaining access to a machine's source code presents him or her with an opportunity to orchestrate devious actions such as website defacement. An interaction with a websites source code also give a revelation of the site's database design and schema (Wood,2004). This could then lead to an easy access to the websites' database and a possible change to its content.

This kind of PHP and MySQL website attack is as a result of to an improperly used and handled query string. The major source of common mistake is the trusting of inputs that originate from the query string as valid. Such a mistake would lead a hacker to interfere with the query string in order to get the information they require. The query string must therefore be validated accordingly and then appropriately verified every time in order in the process of creating and accessing of data. Query string must therefore bee tested for both existence and utmost validity.

Root level access with the administrator privileges can be gained because the server wasn't set up properly. Normally a server should be set to run with the least amount of privileges required by the server to perform its duties. One should determine the appropriate level of access a server will have before a website is developed.

Illustration

When one creates a link that has a query string variable needed to be passed to the next page. This variable is referred to as ID. If one uses this variable to access information from the database then a test for its safety should be carried out.

This test is done by means of the isset () function, which is arguably the simplest method. This allows one to move the back to the previous page whenever the value is present. Then if the variable exists one should then carry out a test to find out if its value has been interfered with. The ID is supposed to be contained in a numeric field only so we on should carry out an examination on the value which has a regular expression.

PHP gives a perfectly good...

According to Friedl (2002)"Regular expressions are the key to powerful, flexible, and efficient text processing." By means of the regular expression, '^[0-9]+$', the testing of the value will ensure that there is at least a one digit (0-9) in the variable. The analysis of regular expressions is never to be explored at this point.
After the verification of the value if the ID, the employment of this variable becomes more secure, and one will have gotten rid of most of the invalid ID values. To offer more security, if this value is being utilized to access a file or a database field, one should test such scenarios for its existence before employing the value.

Separation of client and server

As pointed out by Kabir (2003).Sensitive data is often made available unintentionally by programs to people who should not have any access to the information." The various web applications usually run in two separate locations; that is, the server and the client. This has the meaning that both the locations must be developed to give the best security for the user and the system itself. The server must be developed in a way that ensures that the information being stored is never compromised. This must be done while the client should be developed to present and also to retrieve only the required data. A client that gives out too much information is never secure.

This means that the server is the place all the application dynamics are taken place. This separation is therefore mostly evident to the user since are the ones seeing everything that happens during the server -client interaction. This action is so since PHP operates on a transitive level for the website (between the client and the server). The user then request a webpage (1) and then server responds by locating file (2) together with its directories. It then processes (3) and finally delivers the result to the user (4).

Source: Wood (2004)

Developing applications for the client has the implications that the data and actions the user can carry out must be limited.

As a rule of thumb web page must never allow the user to interact directly with a database. If a particular user id providing information then the client should only collect and submit the acquired data to the server.

How it happens

In the process of developing a web page a particular developer would have to manage two different kinds of data types . The data types are very sensitive since they mainly contain user information and various forms business data. The second data type which is insensitive contains application level data that is used to display various forms of images files.

The web application client can be decoded and then subsequently viewed by the unintended audience and this therefore gives room to the client domain to be the entry point of accessing the various sensitive data. This leads to the exposure of sensitive data the tainted version of the client can be utilized to attack the website and also to fool other unsuspecting website users into giving out vital personal and financial information.

A particular webpage is delivered to a browser in a HTML format. This HTML script is then interpreted by the browser and is viewable in plain text. Since HTML is readily and commonly available to most web browsers, it allow its user to seamlessly view the source code of a particular web page.

A hacker then analyses the source code of a web page and then deduces some of the functionalities that may be contained on the page. A form and its input fields may all have values that get posted when the particular form is submitted. This content can than be effectively manipulated in order to as something else which dupes the server to think that it is receiving something else other then what the page was originally intended to submit. Such a form of form overloading can lead to sensitive data getting relayed to the hacker.

As an example the server part of the application need to be designed in order to take care of inputs that is supposed to be malicious. On the receipt of a client's request and variables postings, the server should be able to validate and also to verify that this information request is genuine. A perfect example is to prevent various malicious clients from coming into direct interaction with a server function that would otherwise be utilized as a global variable that is…

Continue Reading...
Sources used in this document:
Bibliography

Bloch, M (2004). "PHP/MySQL Tutorial - Introduction." ThinkHost. .

Friedl, J (2002). Mastering Regular Expressions, Second Edition. Sebastopol, CA: O'Reilly & Associates Inc., 2002.

Kabir, MJ (2003) Secure PHP Development: Building 50 Practical Applications.

Indianapolis, in: Wiley Publishing, Inc.
Cite this Document:
Copy Bibliography Citation

Related Documents

Essay
Security Issues of Online Communities
Words: 15576 Length: 60 Document Type: Term Paper

This researcher rejects the existence of online communities because computer mediated group discussions cannot possibly meet this definition. Weinreich's view is that anyone with even a basic knowledge of sociology understands that information exchange in no way constitutes a community. For a cyber-place with an associated computer mediated group to be labeled as a virtual settlement it is necessary for it to meet a minimum set of conditions. These are:

Read More
Essay
Thematic Analysis of Security Issues
Words: 20201 Length: 78 Document Type: Dissertation

Security Study Travel and tourism are major industries in European countries such as Greece. The hotel industry is dedicated to making the accommodations for their patrons as enjoyable as possible. This means ensuring that hotel guests, visitors, and staff have a safe and secure environment. It is for this reason that many of the larger hotel chains have their own private security personnel who are entrusted to maintain the safety of

Read More
Essay
Security Measures and Security
Words: 1951 Length: 6 Document Type: Term Paper

Security Measures The hotel industry has experienced the need to enhance security of guests in the recent past given the increased security threats/attacks in the modern business environment. The increased focus on enhancing security in the hotel industry has represented a major shift from the serious neglect of various security responsibilities that characterized this industry in the past. According to Fischer, Halibozek & Walters (2013), hotel managers, particularly security managers, are

Read More
Essay
Security - Agip Kazakhstan North
Words: 14948 Length: 35 Document Type: Term Paper

They need to know what their responsibilities are not only as individuals but also as team members and corporate employees. David cites an excerpt from a corporate security document that illustrates his point: "A security policy serves many functions. It is a central document that describes in detail acceptable network activity and penalties for misuse. A security policy also provides a forum for identifying and clarifying security goals and

Read More
Essay
Security Awareness the Weakest Link
Words: 8202 Length: 30 Document Type: Case Study

To offer an information security awareness training curriculum framework to promote consistency across government (15). Security awareness is needed to ensure the overall security of the information infrastructure. Security awareness programs is the can help organizations communicate their security information policies, as well as tips for users, to help keep systems secure, and the practices the entire organization should be utilizing. However, as Kolb and Abdullah reiterate, "security awareness is not

Read More
Essay
Security Policies Given the Highly
Words: 749 Length: 2 Document Type: Essay

If not, what other recommendations would you make to Harold? Explain your reasons for each of recommendations. No, the actions that were taken by Harold are not adequate. The reason why, is because he has created an initial foundation for protecting sensitive information. However, over the course of time the nature of the threat will change. This could have an impact on his business, as these procedures will become ineffective.

Read More

Sign Up for Unlimited Study Help

Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.

Get Started Now