Abdullah Rubiyath :: Alif's Web

• 1. SQL Injection
• 2. Cross Site Scripting (XSS)
• 3. Cross Site Request Forgery (XSRF)

1. SQL Injection: SQL Injection is a way a user can enter 'malicious' input and resulting in getting access to someone else's account or can also cause severe damage to the database. To read more please check out the wiki. Consider the following case: There's a username / password form, and you have the following Code for validating user info:

$checkSQL = "SELECT * FROM user WHERE username LIKE '{$_POST['user']}' AND password LIKE '{$_POST['pass']}' ";
$sqlResult = mysql_query($checkSQL, $dbLink);

With the above SQL code, the visitor will be able to enter into the site. because 1=1 will be true and because -- is a comment on SQL, anything after that will be ignored. This is a simple attack. A user can even go a step further and add a command like 'DROP TABLE user' etc., which can be very dangerous. So, its important to escape (filter) user data.

For PHP 4/5 and people using the mysql_connect & mysql_query methods for carrying out query, there's this method called mysql_real_escape_string( ) to escape a string before carrying it out. But, I actually like to specifically filter out characters like '-', or '%', or quotes (single/double), they are never used in username or password anyway. So, I use this method to eliminate those characters.

strtr($userInput, array( '\' => '', '"' => '' , '--' => '', '%' => '') );

For people using PDO (if you are new to PDO, I would kindly ask you to read about it, it has many great features of traditional mysql_query), the SQL statement can be prepared and then executed. Example:

$stmt = $dbLink->prepare('SELECT * FROM user WHERE username LIKE ? AND password LIKE ?');
$stmt->execute(array($_POST['user'], $_POST['pass']));

Using Prepared statement can eliminate the possibility of SQL Injection, however, I still prefer to use the strtr method to filter out the content, just to be on the safe side.

#2. (Cross Site Scripting) XSS: Cross Site Scripting is a technique user can use to enter script tags into the page, and can cause damage to get access to the visitor's cookie information / hijack sensitive data. (visitors refer to people visiting your site). Read more at wiki

To eliminate this, htmlentities method can be used to convert every tag's '<' and '>' as well as single and double quote characters.

htmlentities($userData, ENT_QUOTES);

#3: Cross-Site Request Forgery (XSRF): This is a very interesting attack, its an attack by which say, if you have an online store, a visitor's purchase order can be made on your site without the visitor actually making the order. Read more on wiki

The way basically it works is this, the visitor visits another site were the following code is written:

<img src="http://www.mysite.com/shop/confirm_order.php" alt="confirm" />

When a visitor say has added some items on your site's store and has them on shopping basket, but has not checked out, and also didn't log out. He visits another site where the above img tag is there. What will happen is basically, the img will request that page to be executed, and since the visitor of your site has not logged out (i.e his cookie has not expired and he is considered logged in), the confirm_order.php page will be visited, and the order will be made. (Note: I realize this may not be a good example.. but I hope you get the rough idea)

To prevent this, I use this technique called 'tokenize' method, which I learned by reading O'reilly's PHP book. The idea is simple. A unique key or token should be created at the start of page and store in on Session, and also will be posted as a hidden field on the form. When visitor submits the form, then the token value stored at session will be matched with hidden Form's value to ensure that its coming from that page.

// store a unique value in session
$_SESSION['token'] = md5(time());
 
// now on the form.. add an extra hidden field
<input type="hidden" name="token" value="<?=$_SESSION['token']?>" />

if(!isset($_POST['token']) || $_POST['token'] != $_SESSION['token']) {
// error, form spoofing, return to users' page or do something else
}
// otherwise, carry out executing this page normally.