Recently, I received a website inquiry asking about SQL and XML injections and decided to share my response here to help others with the same questions.

What is a SQL injection?

A SQL injection is when someone injects, or inserts a SQL query using a meta character in a website’s form field to gain access to sensitive data in a database, make changes to a database, or otherwise exploit a database or a website that is powered by a database. This is a known vulnerability and can wreak havoc on a website and the database that powers the website. This has been used on websites to insert malicious code, redirect a website to another website, and more. Often, older versions of PHP or SQL contribute to this type of vulnerability because of known security issues. This can become an problem when programmers write code and then do not update the code to keep up with the latest releases. Form validation and limiting what can be entered in fields is extremely important because any fields on a website, can make a site vulnerable.

What about XML?

With XML, what’s known as XML External Entity Injection (XXE) occurs when an external entity is referenced to reveal information during the XML parsing process. This could include server files, data including private user data, port scanning, and more. Additionally, XXE attacks could result in overwhelming computer resources when external entities reverence each other and overloads the server’s memory.

“How do I prevent upload vulnerabilities?”

Your second question, “How do I prevent upload vulnerabilities” is a bit trickier to answer. The Open Web Application Security Project is a great resource. Here are some links that I hope will help. 
https://www.owasp.org/index.php/Category:Vulnerability
https://www.owasp.org/index.php/SQL_Injection
https://www.wikihow.com/Prevent-SQL-Injection-in-PHP
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

If you have your own website and want to be able to update it easily while keeping it safe, you might consider a WordPress framework. You can easily run WordPress on your website’s server. WordPress can be downloaded from https://wordpress.org and runs best and is most secure on Linux servers with SQL database access. Many web hosting providers offer a simple application install for WordPress. If you do install WordPress, be sure to install the Wordfence Security plugin ( https://wordpress.org/plugins/wordfence/ ) which scans websites, alerts to vulnerabilities and needed updates, and protects against unauthorized access. 

Also, if you use forms on your site, you may want to integrate Google’s recaptcha to protect your site from spam form submissions https://www.google.com/recaptcha/intro/v3.html .

I hope this helps demystify some known and widely reported security vulnerabilities on websites.

There’s a whole host of different web hosting companies out there (pardon the pun). On top of that, each hosting company can offer a multitude of hosting variations, and platforms like Windows or Linux. It can get pretty confusing.

It’s great to have choices, it really is. With a little information on a few terms, you should be able to make a choice that’s right for you.

Windows vs Linux Hosting

When you take a look at hosting, you’ll probably see where you can choose between Windows or Linux. Without getting into too much of the gory details, I’ve built and maintained websites on both Linux and Windows servers. I’ve even done a lot of self-managed work on Windows. But, if you think you might like to try a content management system like WordPress, I recommend Linux.

What’s WordPress?

WordPress is one of the most widely used content management system (CMS). A CMS website combines the use of code and styling with a database. A CMS website is customizable and easily updatable. How easy? Let’s just say, for now, that if you can use Facebook, you’d most likely be able to update a website with WordPress. Really. If the thought of this is a wee bit appealing, then choose Linux. I’ve had clients that were on a Windows server and wanted a WordPress website. I accommodated them, for a while. Eventually, I moved everyone running WordPress on Windows to Linux. Linux just provides a more stable and secure environment for WordPress. WordPress gives clients with an easy way to update their own websites, and Linux offers them peace of mind in a more secure setting.

Now, for the fun stuff.

Let’s take a look at different types of web hosting plans

Shared Hosting

If you’re just looking to start a blog or create a small business informational site, then you’re looking at a fairly low cost to get started—like $3 to $20 monthly. The lower the price, the more limited the resources available. Many personal sites or entry-level small business websites do fine on shared hosting where there are many websites, sometimes up to 1,000 on one server. If you’re starting out with a small business site but are planning to sell products or expand, you may outgrow an entry-level plan rather quickly. When talking with a hosting representative or researching the plan that will work for you, make sure that you can easily upgrade your plan, if needed.

Major Benefit of Shared Web Hosting: Low-cost to get started.

WordPress Hosting

WordPress is my favorite platform for websites. Because of it’s popularity, some web hosting companies offer WordPress hosting. Some of my clients choose WordPress hosting, but it’s not my favorite way to go. Why? Because there’s often limited server management options with WordPress hosting. You can upgrade and backup WordPress, but often there’s limited access to files. Also, many companies say that WordPress Hosting will run faster. Having said that, I’ve not seen a big difference in page load speeds or experienced better performance.

Major Benefit of WordPress Hosting: Tailored to run WordPress.

Virtual Private Server

A virtual private server (VPS) is the next step after shared hosting. On a VPS, you can manage the server yourself which requires a fair bit of server experience or choose a managed plan where the server maintenance is handled by the hosting company.  You are still sharing some server resources like the central processing unit and the memory, but there are also resources that are dedicated to each account on the server. Often on a VPS, there are less accounts sharing resources than on a shared server. This all means that you have more power and more resources for your website. VPS hosting often has limits on storage and memory that you just need to be aware of.

Major Benefit of Virtual Private Servers: Increased resources allotted to accommodate your website’s needs at a reasonable cost.

Dedicated Server

A dedicated server dedicates all of the computer resources to your website based on the plan’s options. The dedicated server also offers different managed plans from self managed to fully managed. I’ve worked on self-managed Windows servers in the past and they’re great when they’re running, but when there are issues, it can take hours, or longer, to isolate the issues and troubleshoot. Also, I found that dedicated server upgrades can get expensive. But if your website is big, or outgrows other hosting options, this is the way to go. More good news is that dedicated server prices have come down in recent years so if you have a big site that’s helping you make money, a dedicated server should work well for you.

Major Benefit of Dedicated Servers: You have access to all of the resources the server has to offer and can really customize the server to suit your needs.

It’s easy to get caught up in the excitement of jumping into building a website.

I get caught up in the excitement myself. But, before you can build it, you need to have a place for your website to live. It’s web hosting that addresses where it will reside.

Unless you have a fairly good budget to invest in the hardware, backup processes (redundancies) and tech support to keep your website up and running on a local server or computer, you’re going to need to explore web hosting companies and the plans they offer.

Honestly, you can probably talk to ten different people and get ten different answers about the best web hosting. That goes for me, too. I don’t want to muddy the waters and go into my favorite web host providers.  It really depends on what you need and what works best for you.

Google “best web hosting” and see how many different results come up and how the rankings and reviews vary. Instead, I’ll share what I look for when shopping for web hosting and why it matters. Then you can jump in and research web hosting plans and find the best solution for your website.

Five Web Hosting Points to Ponder

hosting is paid annually or monthly with renewable terms.

Many web hosting companies offer discounts if you pay for a year or two in advance. If you’re starting small, you may want to ask the web hosting company how easy it is for you to upgrade your plan. This way if you pay for a year and find yourself outgrowing what you started with, you can upgrade, as needed.

Web hosting companies offer page builders, but there ’s a trade off.

Page builders are template driven and can work for some people. However, they have limitations on how the site can be customized. Most importantly, if you use a page builder for a website, you may need to rebuild your entire website if you need to move it to another server.

Sometimes web hosting companies offer a great introductory price.

The thing to watch out for is how much the price will go up when you renew your hosting. Sometimes the price can increase, even double, on renewal. Just make sure you read all of the fine print.

You will need to upgrade your hosting at some point.

Just like computers and cellphones, web hosting needs to be upgraded periodically. I’ve had clients that had hosting plans that were 5 years old. As you can imagine, their website took forever to load or had server timeouts. Just be aware that you will need to upgrade because old hosting can take a site down and you could lose everything.

Plans that offer unlimited options are not always unlimited.

Web hosting services can offer unlimited domains, unlimited storage, unlimited email, etc., but just like cellphone plans, unlimited can mean different things. Many hosting companies limit the number of inodes, or the number of files, you can have on the server. This includes files, emails, and anything that is stored on the server. So, if you have an email account that has 5,000 emails on the server, that’s 5,000 inodes being used by just one email account. I’ve found that inode limits aren’t always clearly listed on web host plan comparisons.

If you’re talking to a sales rep about a web hosting plan, ask about inode limits. Believe me, inode numbers can go up fast.