The checks can be circumvented, and you should check these conditions also on the server side. The absence of such a check may lead to the insertion of malicious code into your database or undesirable results of the website. A visit to toto-rox.com makes things perfect now.
Passwords
Everyone knows that you need to use complex passwords, but this does not mean that people always do this. It is critically important to use complex passwords for your server and website administration unit, but it is equally important to require your users to use complex passwords for their accounts.
- Despite the fact that users do not like this, compulsory requirements for passwords, such as a minimum length of at least eight characters, the inclusion of upper case characters or numbers in the password will help them ultimately save their information.
For extra protection, you can use a “salt” for passwords, while adding a new “salt” to each password. - If the website is hacked and the attacker receives data with passwords, storing hashed passwords will help reduce damage, as decryption is required. The best thing an attacker can do in this case is a dictionary attack or brute force attack, that is, checking all possible combinations until a match is found.
- Fortunately, most CMSs provide user management tools with many built-in security systems, although some alternative configuration or additional modules may be required to use the salt or set the minimum password complexity.
If you use .NET, then you should use membership providers, as they have many settings, provide an integrated security system and include ready-made elements for logging in and changing the password.
File Downloads
Allowing users to upload files to your website can be a security risk, even if it’s just a matter of changing your avatar. The risk is that any downloaded file, no matter how harmless it may look, may contain a script that, when executed on your server, allows access to your site.
If you have a file upload form on your site, then you need to be suspicious of all uploaded files. If you allow users to upload images, then when determining the type of file, you cannot rely on the extension or mime type, since they can easily be tampered with.
Even opening a file and reading its title or using image size checking functions are not a 100% guarantee of security. Most image formats allow you to store comments, which can also contain PHP code that can be executed on the server.
So what can you do to prevent this? Usually you need to prevent users from executing downloaded files. By default, web servers do not try to execute files with image extensions, but it is not recommended to rely solely on the file extension, since there are cases when the “image.jpg.php ” file bypassed this check.
