There have been a whole lot of high-profile hacks lately: Sony, Lockheed Martin, the CIA, the Senate, the list goes on. I've heard that many of these relied at least in part on SQL injection. However, news reports don't provide much information regarding what we as coders can do to protect ourselves, our websites, and our users.
Within a PHP/MySQL environment, I think most people know by now that
- all user-submitted data should be escaped, e.g. with mysql_real_escape_string()
- user-submitted data output to the browser should be cleaned with htmlspecialchars()
- whenever possible, user-submitted data should be type checked, e.g. numbers can be checked with is_numeric(); phone numbers and zip codes can be matched against a regular expression; and e-mail addresses can be checked with filter_var($input, FILTER_VALIDATE_EMAIL).
- MySQL databases should have names that are difficult to guess, as should the database users with access privileges
- database users and server administrator accounts should have highly complex passwords
The question is, is that enough? Given how many major sites have been hacked lately, it seems as though these types of precautions must not be sufficient. (Or could it be possible that somebody forgot to escape the input data on the Senate website? Seems so unlikely...)
So my question to the community is, what else can be done to secure websites and protect data?
I would greatly appreciate any insight into this matter. Thanks!