Security in PHP web pages

One concern that must be present in all Web developers is the security of their products.

In this article we start a series of articles which will explore some basic security issues related to injecting SQL statements into web forms or URL parameters.

Examples of code with security issues and how to avoid them are presented.

So let's start with a simple login form implemented with the following code:

In this example, the code checks to see if more than one database record has been returned, thereby assuming that the credentials provided are correct.

The biggest mistake involves concatenating the values received from the form with the SQL statement, thus allowing the user to manipulate the instruction to his or her own pleasure.

Regardless of the user name entered, simply type in the password the following text if you choose to indicate that the login has been successfully completed: o' or 1=1 #

With this text the SQL statement will always return a record because 1 equals 1. The # at the end lets you ignore the rest of the statement as it is the symbol for comments in MySQL.

The solution to this problem is to use parameters, preparing the statement before executing it. So the following code resolves this problem:

Comentários

Mensagens populares deste blogue

Single Page App with C# WPF/XAML

In this post we are going to create a single page app. The app will have multiple pages that get rendered in the main window. We will be using Visual Studio, C#, WPF and XAML. Let's start by creating a new project in Visual Studio of this type: Next, in the MainWindow, we define the interface structure. On the left side we place a menu and on the right side a DockPanel with a Frame in it. The Frame is the element that is used to render de pages content. Now let's add the new pages. In this example I will add two pages. Click in the Solution Explorer with the mouse right button, then choose Add and Page. The project looks like this. The app content goes on the recently create pages. Because this is just an example I will just change the background color and add a small text. Page1 Page2 Finally the code. Back to the MainWindow we need to create the click events on the menu items. So, in the MenuItem line add the click event and pick New Event Handler. If that option doesn't...

Ler mais

ASP.NET MVC with Entity, Identity and Migrations Part 2 - Dropdownlist

In the second part of this MVC tutorial we add a dropdown list to select the user role when creating or editing a user. In the User model we must add a new field that represents an interface that stores the options: public IEnumerable<System.Web.Mvc.SelectListItem> perfis { get; set; } Now in the User controller the Create and Edit functions must be changed. Each function must add the options to the perfis interface before showing the view. Something like this: // GET: Users/Create public ActionResult Create() { //perfis options for the dropdownlist var user = new User(); user.perfis = new[] { new SelectListItem{Value="0",Text="Admin"}, new SelectLis...

Ler mais

Saving pictures to an Access database

What is the best method for storing images in a server? That's a discussion that we will never see the end. In my opinion, has in everything in life, it depends. But in this post we will not contribute to that dilemma. The objective of this post is to show how to store the pictures in an Access database. We start by creating a new project in VS 2013. Next, we create a class that will manage the database. In this class we will need a reference to a DLL that is responsible for creating the database file. In the Reference Manager with search in the COM section. Back in the class with add a namespace: using ADOX; Now let's add three properties to the class: the path to the database file, a connection string and an object to make the connection with the database. class BaseDados { string caminhoBD; string strLigacao; OleDbConnection ...

Ler mais

Code Made Simple

Pesquisar neste blogue