Jump to content

Not a wordpress site

Recommended Posts

Curious question - if a site is built with straight html/css/php/js - not a cms based site - and each page ends in php (v html) for the purpose of having a simply contact form in the footer - does this make it any more vulnerable to hackers? 

On that note - how does one "hack" a site that is not built in a cms platform like wordpress or any other web-based website builder? So I can learn how to defend against it? And let's assume the hosts login info cannot be obtained. 

Thank you for your time. 

Edited by RobertS

Share this post

Link to post
Share on other sites

A CMS will often be more vulnerable than PHP/HTML pages with hardcoded static content. If the CMS (or installed plugins) is poorly written, hackers can inject msql queries in form inputs or the address bar.

However a site that does not use a database connection can also be hacked because the hacker can inject scripts with file operations and delete/alter your files. But if you write-protect your files, sanitize all your textinputs, and url queries, and you make sure that all your included class/funtion files have the .php extension (so no one can download them and see your code) you are making it extremely difficult to hack the site.

EDIT: If your site uses a database the best way to secure it is to use prepared statements: http://php.net/manual/en/pdo.prepared-statements.php

Edited by Nillervision

Share this post

Link to post
Share on other sites

Most security flaws will be with regards to variables your page accepts. Security attempts are made by trying to manipulate the variables, either via the url parameters or posted form fields with something else. I'm 99% sure PHP only listens to the variables given however this is where validation, sanitation and checks are vital.

It's also down to selecting the right choice for each variable with php, $_GET (Requests data from a specified resource), $_POST (Submits data to be processed to a specified resource) or $_REQUEST (Could be $_GET, $_POST or $_COOKIE data - more open to manipulation) are the three options. An example of $_REQUEST is both /yourpage.php?name=Jim and a form input <input type="text" value="Jim" name="name"> posted would work, but if you were expecting a form input call it by name using $_POST. 

With a contact form the process should be $_POST['name'], then validate the content, in the case of a name you could validated to exclude anything not used for someones name like @, ?, etc. Final step is sanitise, so if storing it escape the string and use prepared statements.

With the validation step you can get really creative, the idea being regular people inputting regular stuff sail through and anyone trying to manipulate your php gets caught in the validation steps. 


Edited by BrowserBugs

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing

    No registered users viewing this page.

  • Member Statistics

    • Total Members
    • Most Online

    Newest Member
  • Forum Statistics

    • Total Topics
    • Total Posts