These days I am into studying about Web Security(under the Web Security course module of the Northubria University- MIS) and found it is so interesting. Therefore I think of writing a little about the Web Security. Being specific I try to write appropriately to PHP.
In world wide web, this can be found as PHP hack and I was interested in getting knowing how the PHP hack can be eliminated. Knowing those are very important and that will help you to design and develop a PHP hack free web site if your scripts are in PHP. When reading keep in your mind that I am new to those stuffs.
There is no use of talking about SQL Injection attacks as nobody now use eval to process form’s data. Therefore for the time being I skipped that and if you are interesting enough please google.
Forms fields are an important place where the developers should have good attention. For an instance lets consider the following situation. A field where use to enter the address of the user. The entered values are checked against a length and if the ore0defined length is exceeded it is considered that the input is valid. However this seems pretty enough to verify that the user enter his address as long as the address doesnt carry and defined format. Bare mind I am talking about his snail mail address. Even tough it is validating the input it doesnt verify that the input is risk free.
With no sofisticated functions that can be achieved using simple str_replace. Following code will do what is needed.
If you like following function are also in your side. Please try them and see.
Further please do not use eval() function if you dont have much understanding about the function or related security risk. My free advise is use eval if you have no choice ONLY. Not only that but also following functions as well, system(), passthru() and exec().
Another important function is escapeshellarg(). There any ', ; or " is replaced with \' , \" , \;
Avoid using GET to send form data and use POST method instead. However in some situation POST is not possible, unless in such situations always try to use POST method for form data submission.
This is not a good practice, each and every test you perform on the client side should be followed on the server side as well. Otherwise intruders can bypass the browser and send false info to the server as long as the server is blind and not checking the input, thinking checking them on the client side would be enough. Therefore you need to have better security not only on the client side but mostly on the server side.
Looking forward to write more soon, keep reading . .