Tác giả: Dương Nguyễn Phú Cường
Ngày đăng: Hồi xưa đó
Potential security threats
They are basically two groups of people that can attack your system
- Hackers – with the intent to gain access to unauthorized data or disrupt the application
- Users – they may innocently enter wrong parameters in forms which can have negative effects on a website or web application.
The following are the kinds of attacks that we need to look out for. SQL Injection – This type of attack appends harmful code to SQL statements. This is done using either user input forms or URLs that use variables. The appended code comments the condition in the WHERE clause of an SQL statement. The appended code can also;
- insert a condition that will always be true
- delete data from a table
- update data in a table
- This type of attack is usually used to gain unauthorized access to an application.
Cross-site scripting – this type of attack inserts harmful code usually JavaScript. This is done using user input forms such as contact us and comments forms. This is done to;
- Retrieve sensitive information such as cookies data
- Redirect the user to a different URL.
- Other threats can include – PHP code injection, Shell Injection, Email Injection, Script Source Code Disclosure etc.
PHP Application Security Best Practices
Let’s now look at some of the PHP Security best practices that we must consider when developing our applications.
The strip_tags functions removes HTML, JavaScript or PHP tags from a string. This function is useful when we have to protect our application against attacks such as cross site scripting. Let’s consider an application that accepts comments from users.
Assuming you have saved comments.php in the phptuts folder, browse to the URL //localhost/phptuts/comments.php
Let’s assume you receive the following as the user input alert['Your site sucks!'];