Security Issues Creating A Site Research Proposal

Length: 17 pages Sources: 15 Subject: Education - Computers Type: Research Proposal Paper: #58026537 Related Topics: Computer Security, Database Security, Private Security, Security
Excerpt from Research Proposal :



Even though there is always some form of a risk involved in the coding technique together with the deployment methods of a website, some technologies such as PHP and MySQL form some of the worst aggravators of online website security. The loopholes that exists in the use of these technologies results in some of the worst hack attacks and security breaches ever experienced in the field of web design. The internet is bustling with a lot of activities. Some of the activities that are officiated over the internet are very sensitive due to both the nature of the information exchanged or even the information stored in the database.

It is paramount that websites be provided with secure and personalized databases. One inevitable fact however is that once a site is deployed on the internet, it becomes a resource to be accessed by everyone as postulated by Kabir

Secure website development is of the utmost importance as the number of websites that provide personalized accounts and utilize cross site information. "When you deploy your application on the Web, it becomes available to everyone" (Kabir 737)

In order to fully prescribe a viable solution to be used in tackling the various forms of security threats associated with the use of trending technologies such as PHP and MySQL, it is paramount to understand the mechanisms through which the security threats are orchestrated. Below is a discussion of the general techniques employed by hackers in gaining access to different websites that are developed using the PHP and MySQL, mix

Query String Manipulation

In a query string manipulation, is a hacker passes a set of values that are passed through a browser's address bar. This form of attack appears on site that provides services of some sort. Query String Manipulation can be extremely detrimental in poorly planned and programmed website. It provides an easy access point for a hacker to gain access to the database via referred to as SQL Injection, which leads to root access to the machine and then to the subsequent access to various parts of the websites source code.

Implications

The meaning and implication of this type of attack is that the hacker gains root access to the entire computer and is he or she only gets limited the access level restrictions provided to the web server, a level which is in fact an administrative. This gives the hacker an express permission to modify and even delete files that reside on the machine. The hacker also gains access to the machine's database and all of the data that exist in the database. This is true in the case of web server and database server not being on the same machine.

The possibility of a hacker gaining access to a machine's source code presents him or her with an opportunity to orchestrate devious actions such as website defacement. An interaction with a websites source code also give a revelation of the site's database design and schema (Wood,2004). This could then lead to an easy access to the websites' database and a possible change to its content.

This kind of PHP and MySQL website attack is as a result of to an improperly used and handled query string. The major source of common mistake is the trusting of inputs that originate from the query string as valid. Such a mistake would lead a hacker to interfere with the query string in order to get the information they require. The query string must therefore be validated accordingly and then appropriately verified every time in order in the process of creating and accessing of data. Query string must therefore bee tested for both existence and utmost validity.

Root level access with the administrator privileges can be gained because the server wasn't set up properly. Normally a server should be set to run with the least amount of privileges required by the server to perform its duties. One should determine the appropriate level of access a server will have before a website is developed.

Illustration

When one creates a link that has a query string variable needed to be passed to the next page. This variable is referred to as ID. If one uses this variable to access information from the database then a test for its

...

This allows one to move the back to the previous page whenever the value is present. Then if the variable exists one should then carry out a test to find out if its value has been interfered with. The ID is supposed to be contained in a numeric field only so we on should carry out an examination on the value which has a regular expression.

PHP gives a perfectly good regular expression evaluator function refered to as: ereg (). According to Friedl (2002)"Regular expressions are the key to powerful, flexible, and efficient text processing." By means of the regular expression, '^[0-9]+$', the testing of the value will ensure that there is at least a one digit (0-9) in the variable. The analysis of regular expressions is never to be explored at this point.

After the verification of the value if the ID, the employment of this variable becomes more secure, and one will have gotten rid of most of the invalid ID values. To offer more security, if this value is being utilized to access a file or a database field, one should test such scenarios for its existence before employing the value.

Separation of client and server

As pointed out by Kabir (2003).Sensitive data is often made available unintentionally by programs to people who should not have any access to the information." The various web applications usually run in two separate locations; that is, the server and the client. This has the meaning that both the locations must be developed to give the best security for the user and the system itself. The server must be developed in a way that ensures that the information being stored is never compromised. This must be done while the client should be developed to present and also to retrieve only the required data. A client that gives out too much information is never secure.

This means that the server is the place all the application dynamics are taken place. This separation is therefore mostly evident to the user since are the ones seeing everything that happens during the server -client interaction. This action is so since PHP operates on a transitive level for the website (between the client and the server). The user then request a webpage (1) and then server responds by locating file (2) together with its directories. It then processes (3) and finally delivers the result to the user (4).

Source: Wood (2004)

Developing applications for the client has the implications that the data and actions the user can carry out must be limited.

As a rule of thumb web page must never allow the user to interact directly with a database. If a particular user id providing information then the client should only collect and submit the acquired data to the server.

How it happens

In the process of developing a web page a particular developer would have to manage two different kinds of data types . The data types are very sensitive since they mainly contain user information and various forms business data. The second data type which is insensitive contains application level data that is used to display various forms of images files.

The web application client can be decoded and then subsequently viewed by the unintended audience and this therefore gives room to the client domain to be the entry point of accessing the various sensitive data. This leads to the exposure of sensitive data the tainted version of the client can be utilized to attack the website and also to fool other unsuspecting website users into giving out vital personal and financial information.

A particular webpage is delivered to a browser in a HTML format. This HTML script is then interpreted by the browser and is viewable in plain text. Since HTML is readily and commonly available to most web browsers, it allow its user to seamlessly view the source code of a particular web page.

A hacker then analyses the source code of a web page and then deduces some of the functionalities that may be contained on the page. A form and its input fields may all have values that get posted when the particular form is submitted. This content can than be effectively manipulated in order to as something else which dupes the server to think that it is receiving something else other then what the page was originally intended to submit. Such a form of form overloading can lead to sensitive…

Sources Used in Documents:

Bibliography

Bloch, M (2004). "PHP/MySQL Tutorial - Introduction." ThinkHost. .

Friedl, J (2002). Mastering Regular Expressions, Second Edition. Sebastopol, CA: O'Reilly & Associates Inc., 2002.

Kabir, MJ (2003) Secure PHP Development: Building 50 Practical Applications.

Indianapolis, in: Wiley Publishing, Inc.


Cite this Document:

"Security Issues Creating A Site" (2010, April 28) Retrieved August 14, 2022, from
https://www.paperdue.com/essay/security-issues-creating-a-site-196640

"Security Issues Creating A Site" 28 April 2010. Web.14 August. 2022. <
https://www.paperdue.com/essay/security-issues-creating-a-site-196640>

"Security Issues Creating A Site", 28 April 2010, Accessed.14 August. 2022,
https://www.paperdue.com/essay/security-issues-creating-a-site-196640

Related Documents
Security Issues Created by a
Words: 1322 Length: 4 Pages Topic: Transportation Paper #: 81453829

But there is a need that the success of the products is followed by satisfied and committed workers rather the workers whose life is in danger as they clean and process the iPads and iPhones. Globalization and International Trade The second chosen article has been taken from a journal of trade. The article "Transportation Costs and International Trade in the Second Era of Globalization" written by David Hummels has mentioned the

Security Issues of Online Communities
Words: 15576 Length: 60 Pages Topic: Education - Computers Paper #: 35642606

This researcher rejects the existence of online communities because computer mediated group discussions cannot possibly meet this definition. Weinreich's view is that anyone with even a basic knowledge of sociology understands that information exchange in no way constitutes a community. For a cyber-place with an associated computer mediated group to be labeled as a virtual settlement it is necessary for it to meet a minimum set of conditions. These are:

Thematic Analysis of Security Issues
Words: 20201 Length: 78 Pages Topic: Recreation Paper #: 25267847

Security Study Travel and tourism are major industries in European countries such as Greece. The hotel industry is dedicated to making the accommodations for their patrons as enjoyable as possible. This means ensuring that hotel guests, visitors, and staff have a safe and secure environment. It is for this reason that many of the larger hotel chains have their own private security personnel who are entrusted to maintain the safety of

Operation of the Homeland Security Council Creates
Words: 1614 Length: 6 Pages Topic: Terrorism Paper #: 45717577

Operation of the Homeland Security Council Creates the Homeland Security Council and sets down is functions. This directive creates the Homeland Security Council (HSC) and lists its functions. The purpose of the HSC is to synchronize homeland security-related efforts across executive departments and agencies of all levels all through the country, and to put into practice the Department's policies by way of eleven Policy Coordination Committees. Homeland Security Presidential Directive 3: Homeland

Gfis Authentication Technology and Network Security Issues
Words: 5811 Length: 25 Pages Topic: Black Studies - Philosophy Paper #: 91942971

GFI Turn-Around IT Strategy Turn-around Information Technology Strategy for Global Finance, Inc. (GFI) GFI's Authentication Technology and Network Security Issues GFI TURN-AROUND IT STRATEGY Global Finance Inc. offers services in the finance industry. This is a sensitive area of business that requires tight security policies and strategies to be implemented on the network of such an organization. GFI has, however, not given much attention to the IT department, especially, its security and thus the

Computer Network Security Issues Computer
Words: 1894 Length: 6 Pages Topic: Education - Computers Paper #: 22135424

In some instances, policies implemented mainly as cost-effective shortcuts to network system security have cost otherwise good employees their jobs for violations of excessively restrictive network use policies. In the realm of the home computer user, it is possible to buy many new redundant or unnecessary security programs and features. Generally, appropriate network security should not interfere noticeably with either personal home computer use or computer system use in