Hey everyone, so at work we’ve had a couple vulnerabilities pop up so I was privileged with writing this up and I wanted to share it with you. I hope you find it interesting! Sorry it’s such a long read. There’s two parts, one for SQL injection and one for Cross Site Scripting.
SQL Injection Check out SQL injection on OWASP
SQL injection is, simply put, a user adding additional requests to your database calls. For instance if you ask for a search term and compare that term to the database with something like:
SELECT title, author, text FROM books WHERE text LIKE ‘%$input%’
Developers can defend against SQL injection by validating all inputs. This means that we use a function that strips away characters that is required to run SQL from that input.
validateInput() would be a function we define that removes characters such as
*, `, or “. Something else to put in your validateInput() function would be PHP’s MySQLi escape function. It’s also wise to not allow Users to type in what tables they want to access in the database. Use separate queries instead of a dynamic one.
One of the simplest ways to test your inputs is to add ” or 1=1” to the end of the input. If we put ”’something%’ OR 1=1”’ into the example above we get:
SELECT title, author, text FROM books WHERE text LIKE ‘% ”’something%’ OR 1=1”’ ‘
Cross Site Scripting (XSS )
Check out XSS on OWASP
Just like the input we use for SQL queries we need to validate all inputs! I can’t say that enough. If the page is grabbing something, we need to pass it to a function that strips out anything illegal. In XSS’s case, we want to remove anything that is or could be a tag.
Our validation function needs to remove all tags, and the easiest way to do that is with PHP’s strip_tags function!
that your site is indeed vulnerable to XSS.
* In general, assume that all users are vicious hackers trying to break your brand new website.
* Do NOT use user input for HTML comments, scripts, attributes, or CSS. ”’EVER”’
* Consider hiding SQL errors on live sites, Hackers use the information to understand the database layout.
* When taking input from a user, minimize their possible choices as much as possible.
Example: Ages – Should only be positive whole numbers, no special characters.
Example: Email – Should be a string @ string . string. Now might be a good time to learn regex
Example: Names – Should NOT have punctuation or special characters.