I have a friend who usually comes to me for website advice, though didn’t on his last project and chose to engage the services of a young teenager to build his latest site in bespoke PHP/MySQL. However, he has since heard about PHP cross-scripting and database injection attacks and is worried that his site may be potentially hackable, due to the young age of the developer possibly not having the experience of knowing all the pitfalls.
Unfortunately, I can’t advise because I use tried and tested CMS code like WordPress etc to build sites which has been written by experienced developers and has a good track record ‘in the wild’. I looked at some online services to test for cross-scripting and MySQL injection attacks, but it’s $800 to buy software he’ll probably only ever use once. He’s reluctant to go back to the young developer and and ask “is your code 100% known secure?” for fear of offending him so does anyone know of any affordable methods of testing?
The only way of knowing is to either get hacked or pay someone to go through the code manually and advise.
I would feel no offense if a client came back to me and asked if my code was secure. Its part and parcel of the job he has been paid to do. Even the most basic site should have security in mind from Cross scripting to form manipulation.
Get him to go back and ask the developer (the one he has paid to have the work done!)
If you search for SQL inection there are plenty of resources to show you some basics. You could than try it yourself and see. My favorite thing to try first is dropping the database. If I can drop your database than you obviously should have hired a professional…
I think he’s going to have to hire someone as there’s some doubt in the back of my friends mind as to whether the experience is there to identify security flaws. I can’t do it as I’m not a web developer (hence my use of WordPress…;))