So here are some tips for securing your website if you're on Ubuntu [Linux]:
-Never log in as 'root' user
-Disallow root login through settings
-Create an account with a secure password and grant it sudo privileges
-Do not share sudo privileges
-Do not use FTP, use SFTP
If you are on ANY system and using MySQL, be sure to prepare your statements and properly bind parameters.
What I mean by this is to secure yourself from something called SQL INJECTION.
To test your site if it is vulnerable for SQL INJECTION, put a single quotation ' at the end of your URL.
To prepare statements, simply put ->prepare instead of ->query before your statement and use bindParam.
Ex of above: WRONG: $con->query("SELECT * FROM cats WHERE id=:id"); RIGHT: $con->prepare("SELECT * FROM cats WHERE id=:id");
To bindParam, never use php variables in statements as they are a direct injection vulnerability, but use words with semicolons before them.
For the sake of an example, we will pretend that $id is the $_GET['id'].
So in php it would look like this:
$id = $_GET['id']
An example of an incorrect statement is:
$query = $con->prepare("SELECT * FROM cats WHERE id = $id");
$query->execute();
An example of a correct statement is:
$query = $con->prepare("SELECT * FROM cats WHERE id = :id");
$query->bindParam(':id',$id);
$query->execute();
This is how you secure SQL on your site.
-Never log in as 'root' user
-Disallow root login through settings
-Create an account with a secure password and grant it sudo privileges
-Do not share sudo privileges
-Do not use FTP, use SFTP
If you are on ANY system and using MySQL, be sure to prepare your statements and properly bind parameters.
What I mean by this is to secure yourself from something called SQL INJECTION.
To test your site if it is vulnerable for SQL INJECTION, put a single quotation ' at the end of your URL.
To prepare statements, simply put ->prepare instead of ->query before your statement and use bindParam.
Ex of above: WRONG: $con->query("SELECT * FROM cats WHERE id=:id"); RIGHT: $con->prepare("SELECT * FROM cats WHERE id=:id");
To bindParam, never use php variables in statements as they are a direct injection vulnerability, but use words with semicolons before them.
For the sake of an example, we will pretend that $id is the $_GET['id'].
So in php it would look like this:
$id = $_GET['id']
An example of an incorrect statement is:
$query = $con->prepare("SELECT * FROM cats WHERE id = $id");
$query->execute();
An example of a correct statement is:
$query = $con->prepare("SELECT * FROM cats WHERE id = :id");
$query->bindParam(':id',$id);
$query->execute();
This is how you secure SQL on your site.
