Given article does not apply for a role of a universal manual on a theme " how to make so that nobody has broken me ". So it does not happen. The unique purpose of this article - to show some receptions used by me for protection of webs - appendices such as WWW-chats, guest books, webs - forums and other appendices of a similar sort. So, let's consider some receptions of programming on an example the guest book written on PHP.

The first precept of the web - programmer, wishing to write more - less protected web - appendix, should become " Never trust the data, the user sent to you ". Users are by definition such spiteful hackers who only and search the moment, as though program in forms of input for any rubbish such as PHP, JavaScript, SSI, calls of terribly hacker scripts and to that of similar awful things. Therefore the first that it is necessary to make is the most severe image to filter all data sent by the user.

Lets admit, we in the guest book have 3 forms of input: a name of the user, it(him) e-mail and in itself a body of the message. First of all, we shall limit amount of the data transmitted from forms of input by something like:

<input type=text name=username maxlength=20>

, certainly, it cannot apply for a role of the present(true) protection - unique purpose(assignment) of this element - to limit the user from casual input of a name more longly 20symbols. And that the user did not have temptation download the document with forms of input and to correct parameter maxlength, we shall establish somewhere right at the beginning of a script processing the data, check of a variable of an environment of web-server HTTP-REFERER:

<?

$referer=getenv("HTTP_REFERER");

if (!ereg("^http://www.myserver.com")) {

echo "hacker? he-he...\n";

exit;

}

?>

Now, if the data are transferred not from forms of the document, which is taking place on a server www.myserver.com, hacker the demoralizing message will be given. Actually, and it too cannot serve as 100 %-s' guarantee of that the data are really transferred from our document. Eventually, variable HTTP_REFERER is formed by a browser, and nobody can prevent to correct to the hacker a code of a browser, or simply to go a telnet on 80-th port and to generate the inquiry. So similar protection suits only from Well Absolutely uneducated hackers. However, on my supervision, about 80 % of malefactors at this stage stop and further do not climb - whether IQ does not allow, whether simply laziness. Personally I have simply taken out this fragment of a code in a separate file, and I cause it from everywhere, whence it is possible. Time for the reference to a variable leaves a little - and protected the God protects.

The following stage the notorious rigid filtration of the transferred data becomes. First of all, we shall not trust a variable maxlength in forms of input and with handles we shall cut a line:

$username=substr ($username, 0,20);

Let's not allow the user to use an empty field of a name - simply so that to not allow to write anonymous messages:

if (empty ($username)) {

echo " invalid username ";

exit;

}

Let's forbid to the user to use in the name any symbols, except for letters of the Latin alphabet, a sign "_" , a blank and figures:

if (preg_match (" / [^ (\w) | (\x7F-\xFF) | (\s)] / ", $username)) {

echo " invalid username ";

exit;

}

I prefer everywhere where something is necessary more difficult, than to check up presence of a pattern in line or to change one pattern for another, to use the Perl-compatible Regular Expressions. It is possible to do the same and using standard PHP-ereg () and eregi (). I shall not result here these examples are in detail enough described in a manual.

For a field of input of e-mail address we shall add in the list of the allowed symbols signs and ".", differently the user cannot correctly enter the address.

if (preg_match (" / [^ (\w) | (\) | (\.)] / ", $ usermail)) {

echo " invalid mail ";

exit;

}

Therefore my opinion - yes to resolve an insert html- tags in chats, forums and guest books is beautifully, but it's not worth the trouble - hardly users will go to you on the book or to a chat, knowing, that them IP can become known to the first comer to the hacker. And not only IP - javascript I shall not transfer an opportunity:-)

For the primitive guest book of the listed means will suffice to make its more-less difficult for breaking. However for convenience, books usually contain some opportunities for mederated - at least, an opportunity of removal of messages. Allowed, naturally, narrow (or not so) a circle of persons. We shall look, that it is possible to make here.

We admit, all system mederated books also will consist of two parts - pages with the list of messages where it is possible to mark messages subject to removal, and directly a script excluding the messages. We shall name them accordingly admin1.php and admin2.php.

The elementary and most reliable way authorization the user - accommodation of scripts in a directory protected by a file .htaccess. For overcoming such protection it is necessary to break any more the appendix, and a web-server. That it is a little bit more difficult and, anyway, it is not stacked in frameworks of a theme of this article. However not always this way is suitable to the use - sometimes it happens it is necessary to carry out authorization by means of the appendix.