Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Ways I can protect my site excluding XSS and Sql injection?

Tags:

security

php

mysql

sql-injection

xss


So, members of my website can post topics, replies, comments, edit them and so on. I always use htmlspecialchars and addslashes for html inputs to protect my site against XSS and SQL injection attacks. Is it enough or is there something more I miss?
Thanks.

like image 347
good_evening Avatar asked Jun 02 '10 15:06

good_evening

People also ask

What precautions must be taken to prevent SQL injection attacks?

The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.

What is the most common prevention for XSS SQL injection type of attacks?

How to prevent SQL injection attacks. Avoid placing user-provided input directly into SQL statements. Prefer prepared statements and parameterized queries, which are much safer. Stored procedures are also usually safer than dynamic SQL.

2 Answers

There is a lot that can go wrong with a web application. Other than XSS and SQLi, there is:

  1. CSRF - Cross Site Request Forgery
  2. LFI/RFI - Local File Include/Remote File Include caused by include(), require()...
  3. CRLF injection in mail()
  4. Global Variable Namespace Poising commonly caused by register_globals,extract(), import_request_variables()
  5. Directory Traversal: fopen(), file_get_contents(), file_put_conents()
  6. Remote Code Execution with eval() or preg_replace() with /e
  7. Remote Code Execution with passthru(), exec(), system() and ``

There is a whole family of vulnerabilities regarding Broken Authentication and Session Management which is apart of the OWASP Top 10 that every web app programmer must read.

A Study In Scarlet is a good black paper that goes over many of these vulnerabilities that I have listed.

However, there are also strange vulnerabilities like this one in Wordpress. The definitive authority on what is a vulnerability is the CWE system which classifies HUNDREDS of vulnerabilities, many of which can affect web applications.

like image 127
rook Avatar answered Oct 05 '22 08:10

rook

You should use prepared statements (see PDO) to prevent SQL injection. When outputting the content htmlspecialchars() seems sufficient to prevent XSS.

Also take a look at these links for more ways to protect your site:

http://phpsec.org/projects/guide/

http://cwe.mitre.org/top25/#Listing

http://www.owasp.org/index.php/Top_10_2010-Main

like image 21
TheMagician Avatar answered Oct 05 '22 06:10

TheMagician
Sign in to Comment

Related questions

Is there a way to disable browser cache for a single page?
Insert node in xml using php
passing POST array to php function
Database Design for Betting Community
Tables were deprecated? And JavaScript has libraries? Help me catch up!
approach for "site down for maintenance"
PHP: caching pages with state
Limit of POST arguments in html or php
PHP - Date function - finding the previous week
format a number keeping its sign in php
What is \u0026#39;n and how do I decode it?
Is 0 necessary in 0777 here in PHP?
PHP: Set max_file_uploads for one file rather than php.ini
Cannot redeclare saveorder() (previously declared in :10) on line 71
preg_replace: unknown modifier [duplicate]
Analog of MySQL like function
PHP and writing clean code
addslashes and addcslahes
PHP: I got hacked [closed]
Django or Drupal, which one should I use that suits best my needs?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!