Spyware Remover
Make More Secure Php Applications
(presented by www.spyware-remover-free.net - spyware remover)
By Bugra Bayramoglu
Php is a very useful programming & web scripting language.And also it is easy to learn if you know c,perl or etc.
But like everything good , it has some difficulties .Lets start with sql injections …
If you are writing a dynamic web site , you must use a database system like mysql . Mysql is the most popular one . When you wrote a query like this
Select * from adsense where col=1;
As you can see there is no ‘ , then the attacker can write his query and bypass yours .You can lost your private information and your site can be hacked.
To protect your site , use type casting . If your parameter is an integer use intval() function to protect malicious strings from your website.
If your parameter is a string , you must use addslashes() function .
$query=”Select * from computers where os=’”.addslashes($_GET[’os’]).”‘”;
mysql_query($query);
$query=”Select * from computers where can_execute_php=”.intval($_GET[’type’]);
2-) xss atacks
Xss means cross site scripting .It depends on session & cookie stealing with javascript codes .
if the script writes the parameter to the document without filtering , attacker can enter javascript codes and reach the cookie
with document.cookie() function in javascript .
To be protected you must use htmlspecialchars() function . it filters special html chars .
echo htmlspecialchars($_GET['my_string_parameter']);
?>
Eval function in php causes php injections and attacker can execute php code.There is no code to get protected .You must select the string well before you use eval() function.
