Deprecated: Assigning the return value of new by reference is deprecated in /home/datafake/public_html/blog/wp-settings.php on line 468

Deprecated: Assigning the return value of new by reference is deprecated in /home/datafake/public_html/blog/wp-settings.php on line 483

Deprecated: Assigning the return value of new by reference is deprecated in /home/datafake/public_html/blog/wp-settings.php on line 490

Deprecated: Assigning the return value of new by reference is deprecated in /home/datafake/public_html/blog/wp-settings.php on line 526

Strict Standards: Declaration of Walker_Page::start_lvl() should be compatible with Walker::start_lvl(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 594

Strict Standards: Declaration of Walker_Page::end_lvl() should be compatible with Walker::end_lvl(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 594

Strict Standards: Declaration of Walker_Page::start_el() should be compatible with Walker::start_el(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 594

Strict Standards: Declaration of Walker_Page::end_el() should be compatible with Walker::end_el(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 594

Strict Standards: Declaration of Walker_PageDropdown::start_el() should be compatible with Walker::start_el(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 611

Strict Standards: Declaration of Walker_Category::start_lvl() should be compatible with Walker::start_lvl(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 705

Strict Standards: Declaration of Walker_Category::end_lvl() should be compatible with Walker::end_lvl(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 705

Strict Standards: Declaration of Walker_Category::start_el() should be compatible with Walker::start_el(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 705

Strict Standards: Declaration of Walker_Category::end_el() should be compatible with Walker::end_el(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 705

Strict Standards: Declaration of Walker_CategoryDropdown::start_el() should be compatible with Walker::start_el(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 728

Strict Standards: Redefining already defined constructor for class wpdb in /home/datafake/public_html/blog/wp-includes/wp-db.php on line 306

Deprecated: Assigning the return value of new by reference is deprecated in /home/datafake/public_html/blog/wp-includes/cache.php on line 103

Strict Standards: Redefining already defined constructor for class WP_Object_Cache in /home/datafake/public_html/blog/wp-includes/cache.php on line 425

Deprecated: Assigning the return value of new by reference is deprecated in /home/datafake/public_html/blog/wp-includes/query.php on line 21

Deprecated: Assigning the return value of new by reference is deprecated in /home/datafake/public_html/blog/wp-includes/theme.php on line 618

Strict Standards: Redefining already defined constructor for class WP_Dependencies in /home/datafake/public_html/blog/wp-includes/class.wp-dependencies.php on line 15

Warning: Illegal string offset 'trackoutbound' in /home/datafake/public_html/blog/wp-content/plugins/google-analytics-for-wordpress/googleanalytics.php on line 489

Warning: Illegal string offset 'trackadsense' in /home/datafake/public_html/blog/wp-content/plugins/google-analytics-for-wordpress/googleanalytics.php on line 501

Strict Standards: call_user_func_array() expects parameter 1 to be a valid callback, non-static method GoogleSitemapGeneratorLoader::Enable() should not be called statically in /home/datafake/public_html/blog/wp-includes/plugin.php on line 311
PHP Security - Avoid SQL Injection and XSS Attacks

PHP Security - Avoid SQL Injection and XSS Attacks

Post Page Rank
  • If using $_GET or $_POST variables in an mysql query, clean them with mysql_real_escape_string.
  • When displaying user submitted content from the database, apply htmlentities before it is displayed.

SQL Injection - mysql_real_escape_string()

Using mysql_real_escape_string stops malicious inputs breaking SQL queries. The quote ‘ is a reserved character in SQL. When it appears as part of a parameter it can break or change the meaning of a query. The mysql_real_escape_string function escapes the quote ‘ so it becomes \’ SQL will not treat the quote as a reserved character and it can safely be used in a parameter usually to insert a quote into the DB.

XSS - Htmlentities()

Htmlentities turns characters into their equivalent html entities. This allows javascript code to be displayed in a page without the browser executing it. If a user enters some javascript into a form on your site and you display it back to them unaltered then the code will execute leaving you open to a scripting attack.

If I enter this into a form field on a web site:

<script>alert(”Your site executed my code. Thanks”);</script>

and the next page displays it without applying htmlentities, the browser will execute it and pop open an alert message box.

The consequences are worse if the input is stored and displayed again to another user. In this example that user would also see the alert message box pop open. The malicious script has access to private data that the browser stores for that user.

An html entity is a representation of a character. for example the < less-than sign’s html entity is &lt;. Applying htmlentities() replaces characters in the above javascript with their equivalent html entities to give.

&lt;script&gt;alert(&quot;Your site executed my code&quot;);&lt;/script&gt;

When the browser encounters this it will decode the characters and display it in its original form but without executing the javascript it represents.

Tags:

4 Responses to “PHP Security - Avoid SQL Injection and XSS Attacks”

  1. Louis Says:

    Thanks a lot. I was wondering if you know, regarding comment spam…..would a comment form in Flash render me free of automated spam attacks? I’ve read that bots can’t read Flash (yet)…do you know if this is true. Thanks again for your useful info for security.

  2. admin Says:

    Hi Louis. If you have a Flash form then it will be harder for a bot to submit to. But you will still have a back-end page to receive these inputs and a way for spam to be posted.

    You also could use a captcha image on your form ( even one that doesnt change ) this would stop automated submissions but not spam from humans.

    Using a mailto: link is the easiest spam target.

    A proper contact form should be coded carefully. If hackers can change the email headers they can send mail from your server. Use http://swiftmailer.org/ on the back-end to get it right.

    thanks

  3. Ewan Says:

    Some simple but important tips/functions there. Cheers!

  4. Php tutorial Says:

    i can’t believe i had to pay $1100 to learn this…..when i could just learn it here

Leave a Reply