Here is few of my personal tips from my experience.
#1 Fail2ban for blocking brute force attacks
#2 APF (Advanced Policy Firewall) to automatically blacklist malicious IPs, and fully utilize IPTABLES (firewall).
#3 NAXSI (NGINX) or Mod_Security (Apache2) for WAF (Web Application Firewall) to prevent MySQL injections, and other malicious attacks (cross site scripting, backdoor uploading, etc..)
#4 sysctl tweaks to prevent spoof or other minor (D)Dos attacks.
#5 Use Incapsula (NOT CloudFlare or Blazingfast) for additional security for websites.
The reason why I've mentioned not to use CF or BF is because their performance may be the top-notch, but their security system aren't. Not to mention, their uptime isn't very satisfying, either. If you are curious or need an evidence for that claim, simply Google. Feel free to criticize / correct me if I am mistaken.
(18-07-2015, 11:59 PM)Crg97 Wrote: Is mysqli_real_escape_string safe?
Fuck the dude that told you to google it.
The definition of the function - Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection.
Which means, in a situation like this:
$id = "' or 1=1-- -'"; $x = $con->query("SELECT * FROM cats WHERE id='".mysqli_real_escape_string($id)."'");
The function will work as intended, and you cannot do anything, because you cant escape the quotes. - '
But, if it's like this:
$id = "1 or 1=1"; $x = $con->query("SELECT * FROM cats WHERE id=".mysqli_real_escape_string($id));
This will not do anything, since there arent any special characters in $id, but is still an SQLi and you can do everything that you can do with a string-based SQLi.