Avançar para o conteúdo principal

Security in PHP web pages

One concern that must be present in all Web developers is the security of their products.

In this article we start a series of articles which will explore some basic security issues related to injecting SQL statements into web forms or URL parameters.

Examples of code with security issues and how to avoid them are presented.

So let's start with a simple login form implemented with the following code:




In this example, the code checks to see if more than one database record has been returned, thereby assuming that the credentials provided are correct.

The biggest mistake involves concatenating the values ​​received from the form with the SQL statement, thus allowing the user to manipulate the instruction to his or her own pleasure.

Regardless of the user name entered, simply type in the password the following text if you choose to indicate that the login has been successfully completed: o' or 1=1 #

With this text the SQL statement will always return a record because 1 equals 1. The # at the end lets you ignore the rest of the statement as it is the symbol for comments in MySQL.

The solution to this problem is to use parameters, preparing the statement before executing it. So the following code resolves this problem:





Comentários

Mensagens populares deste blogue

Single Page App with C# WPF/XAML

 In this post we are going to create a single page app. The app will have multiple pages that get rendered in the main window. We will be using Visual Studio, C#, WPF and XAML. Let's start by creating a new project in Visual Studio of this type: Next, in the MainWindow, we define the interface structure. On the left side we place a menu and on the right side a DockPanel with a Frame in it. The Frame is the element that is used to render de pages content. Now let's add the new pages. In this example I will add two pages. Click in the Solution Explorer with the mouse right button, then choose Add and Page. The project looks like this. The app content goes on the recently create pages. Because this is just an example I will just change the background color and add a small text. Page1 Page2 Finally the code. Back to the MainWindow we need to create the click events on the menu items. So, in the MenuItem line add the click event and pick New Event Handler. If that option doesn't...

Let's make a car in Unity 3D

In this post we will make a simple car in Unity 3D. The Unity 3D physics engine is used in order to give the car a real behavior. This are the steps: [1] - Create a new Project

ASP.NET MVC with Entity, Identity and Migrations Part 2 - Dropdownlist

In the second part of this MVC tutorial we add a dropdown list to select the user role when creating or editing a user. In the User model we must add a new field that represents an interface that stores the options: public IEnumerable<System.Web.Mvc.SelectListItem> perfis { get; set; } Now in the User controller the Create and Edit functions must be changed. Each function must add the options to the perfis interface before showing the view. Something like this:         // GET: Users/Create         public ActionResult Create()         {             //perfis options for the dropdownlist             var user = new User();             user.perfis = new[] {                 new SelectListItem{Value="0",Text="Admin"},                 new SelectLis...