April 6, 2008 at 17:06Security in PHP (Processing data received from users)
I want to talk about simple tricks that will help secure your script.
Always check the received data from the user
Imagine yourself as a hacker, think about what you did with the site.
SQL injection (Eng. SQL injection - "SQL-invasion") - one of the most common ways of hacking sites and programs that work with databases, based on the introduction of an arbitrary SQL-code into the query. Read more on wikipedia
To protect yourself from it, just use:
Examples:
XSS (Eng. Cross Site Sсrіrting - "cross-site scripting") - a type of vulnerability in a computer system that is used in a hacker attack. The specificity of such attacks is that instead of directly attacking the server, they use a vulnerable server as a means of attacking the client. An XSS attack is usually carried out by constructing a special URL that the attacker presents to his victim. Read more on wikipedia
It is enough to protect yourself from it using two functions:
PHP injection (English PHP injection) - one of the methods of hacking websites that run on PHP, which consists in the execution of extraneous code on the server side. Read more on wikipedia.
This is a hacking method where you can execute any php code on the server side. It is very common thanks to the include () function, in which newcomers pass the variable received from the user. They mistakenly think that the code
There is a simple way of protection from it:
Here I described the general principles that I use. I would be glad if you help supplement this article.
General Provisions
Always check the received data from the user
($_POST, $_GET, $_REQUEST, $_COOKIE, $_FILES) , not only from different injections, XSS and other things , but also to the correctness of the entered data , for example, if you have an online store, then check that the quantity of goods is not negative and integer. Imagine yourself as a hacker, think about what you did with the site.
SQL injection
SQL injection (Eng. SQL injection - "SQL-invasion") - one of the most common ways of hacking sites and programs that work with databases, based on the introduction of an arbitrary SQL-code into the query. Read more on wikipedia
To protect yourself from it, just use:
- mysql_escape_string () - to protect strings and binary data
- mysql_real_escape_string () - to protect strings and binary data in accordance with the encoding set on the server (connection to the server is required, otherwise it returns an empty result)
- intval () - to protect integer numerical values, intval () returns 0 if the string is not a number.
- floatval () - to protect fractional values, the same behavior as intval ()
Examples:
$sql = "SELECT string FROM test WHERE string='".mysql_escape_string($_POST['str'])."'";
$sql = "SELECT string FROM test WHERE id='".intval($_POST['id'])."'";
Xss
XSS (Eng. Cross Site Sсrіrting - "cross-site scripting") - a type of vulnerability in a computer system that is used in a hacker attack. The specificity of such attacks is that instead of directly attacking the server, they use a vulnerable server as a means of attacking the client. An XSS attack is usually carried out by constructing a special URL that the attacker presents to his victim. Read more on wikipedia
It is enough to protect yourself from it using two functions:
- htmlspecialchars () - turns special characters into their html entities
- strip_tags () - removes all tags (you need to be careful with it)
Php injection
PHP injection (English PHP injection) - one of the methods of hacking websites that run on PHP, which consists in the execution of extraneous code on the server side. Read more on wikipedia.
This is a hacking method where you can execute any php code on the server side. It is very common thanks to the include () function, in which newcomers pass the variable received from the user. They mistakenly think that the code
include($_GET['file'].".php");saves from such an injection. BUT THIS IS AN ERROR !!! Because an attacker can pass " ya.ru/%00 " (without quotes) into the file variable, which will drop the .php extension. There is a simple way of protection from it:
- addslashes () - it escapes a NULL character (in html it is designated as% 00), a slash and quotation marks, which allows you to get rid of unwanted injections, but it is better to use the switch statement, for example:
switch ($_GET['file']) {case '1':include("hello.php");break;case '2':include("bye.php");break;default:break;}Conclusion
Here I described the general principles that I use. I would be glad if you help supplement this article.