Posted by: Shofiur Rahman

Posted on: July 11, 2012 4:13 pm

-

Website Attacks

Every day hackers are discovering new exploits and hacking techniques. We can defend some categories of attacks in our PHP script.

Abusing register_globals

It is a setting in php.ini that controls the auto population of variables with the same name as form elements or cookies. If register_globals set to on then it may bring a disaster for your website.

Since PHP 4.2.0, the default value for register_globals is off. But often web hosts will re-enable register_globals to provide compatibility with older scripts. We can get clear concept of register_globals on or off with the following example.

Suppose username is a form element. With register_globals ‘off’, the only way to get the value of this form element using $_POST or $_GET array, depending on form action method. On the other hand, when register_globals is ‘on’, the username field value is accessible using $_POST, $_GET and $username as well.

If you are not able to disable register_globals in php.ini, you can turn it off use an .htaccess file.

php_flag register_globals off

SQL Injection Attacks

SQL injection attacks are simply the inclusion of malicious SQL statements in the place of what should normally be inoffensive data. SQL injection preys on a lack of input scrubbing and data validation.

SQL injection is fairly avoidable with an insignificant preparation and thorough coding practices. If magic_quotes_gpc is enabled, PHP automatically escapes any escape characters (e.g. apostrophes). Unluckily, this activities is applied to all GET, POST and Cookie variables in spite of whether they are going to used in a SQL statement or not. Most of the time it can be annoying. To make sure the data is escaped only when we need it to be, we can turn off magic_quotes_gpc in php.ini, and use addslashes() on all data that is being passed to MySQL. The addslashes() function will automatically escape any unsafe characters so our input will not choke MySQL.

Cross-Site Scripting

Cross-Site Scripting abbreviated XSS, cross-site scripting is the abuse of unfiltered dynamic output, where the invader has the skill to add or change the page’s generated markup. Most commonly, this means the addition of a small bit of JavaScript to the output of a page, which then does something ominous, such as trick another user into revealing their login credentials or credit card information, or possibly divulging cookie or session information for immediate account compromise.

Shofiur Rahman

Shofiur Rahman

As a professional web engineer, Shofiur is our Lead Web Developer and boasts years of experience with relevant applications and software. He is in the perfect position to bring our readers up to date with the latest development trends, including ideas relating to the Web 3.0 concept.
-
-

Tags: , ,

Authors
Categories
Archives
Blogroll