HANDOUT TITLE:



INTRODUCTION TO PHP AND MySQL – WRITING SECURE CODE

One of the most important things you can learn about PHP and MySQL is how to prevent your code from being an easy target to those who are malicious. There is no way to make your code completely hack-proof, but you can go a long way to securing it by following certain practices.

This is not an exhaustive coverage of all the ways that a hacker can get into your site, but it is the equivalent of keeping your car safe by removing your keys and locking your doors.

You might think that the chance of your site being hacked is slight, but remember that hackers can find your site and its vulnerabilities the same way that Google scans your site for search indexes.

You will learn what is meant by three common threats - cross-site scripting, cross-site request forgery, and SQL injection. You will then learn proper coding habits, which mitigate those and other threats.

UNDERSTANDING COMMON THREATS

Cross-site scripting (XSS), a type of code injection, embeds malicious code inside innocent code that is later output; for instance, when a user enters a search term it is usually displayed on the screen with the results. If, instead of an innocent word, the data entered were JavaScript, that code would be run when the search term was output to the screen. Hackers can install programs that track your keystrokes and track where you go.

Cross-site request forgeries (CSRF, XSRF) work by allowing an attacker to hijack a user’s session so that the hacker can use an authenticated user’s authority or identity. Requests from the attacker look like they are legitimate responses from forms on your website. The attacker is able to do such things as post comments as a different person, transfer funds to another person’s account, or do a distributed password-guessing attack. Attackers can alter your website to trick your users into linking to their site where the hacker can then have control.

SQL Injections are where a hacker injects his own code to alter your database queries, enabling him to access, alter, or even destroy your database. The dynamic power of the PHP/MySQL combination is using PHP variables and expressions when creating queries and updates to the database. If you use input directly from a user in creating those queries, a malicious user can effectively change your innocent queries into different queries that give him direct access to your database.

USING PROPER CODING TECHNIQUES

The first rule of writing secure code is to never trust your users. They will give you data you do not expect, either intentionally or unintentionally. You need to check all data that a user submits or could intercept. This includes information from forms or data from POSTs, GETs or cookies. You should check variables for the proper type of data, for malicious data and for any character substitutions required, such as changing & to & before displaying in HTML.

There are several ways of sanitizing your data, such as these:

We will experiment with the use of some of these functions. It is important to examine not only what appears in the browser – but also the source code.

You should look up any new function that you use in the official PHP documentation at and try to explain what has happened.

1. Create a new folder in your My PHP Sites folder called Writing Secure Code.

2. Create a new Dreamweaver site pointing to the Writing Secure Code folder. You will need to add Remote Info and Testing Server information, and create a new folder on the server Writing Secure Code to which you will publish.

3. Create a new file saved as sanitizing.php file as shown below:

Sanitizing Input

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download