![]() Even better - uploaded to a distinct server with all scripting turned off.ĭisclaimer: of course this is not an exhaustive list of vulnerabilities but just a list of the most frequent issues in the learners' code. Ideally, a file must be renamed and given a server-generated name and extension. All mime type-based checks are utterly unreliable security-wise. when uploading files, a filename extension must be checked against a white list of allowed values.CSRF attack is mitigated by having a hidden field with a unique token that must be also stored in the session and these two must be compared on the form submit.The Location: header doesn't stop the code execution and therefore must be followed by an obligatory die call (if it's not the last line of the code).a cookie can be forged and therefore should store either insignificant data or a cryptographically secure random identifier.a system error message should be never shown to a site user, being an invaluable feedback for a potential attacker.All data in the URL must be encoded using urlencode() All javascript data must be encoded with json_encode(). all HTML output has to be encoded using htmlspecialchars() (unless it's a deliberately HTML formatted text).passwords must be hashed using a dedicated function, password_hash().any other query part (such as a table/field name or a keyword) has to be filtered through a list of values explicitly written in your code. ![]() every string or a number that needs to be added to the query must be added through a placeholder and then a query executed using a prepared statement.SQL injection is completely mitigated by following the two simple rules:.Refer to the following list for the concrete recommendations: And all this despite the fact that basic security rules are really simple and a no-brainer to follow! The good news, lately some tutorials managed to make it right at least with basic security.Īlso, a big problem with security recommendations is that they are either uncertain (like "don't trust user input", "all data must be sanitized" etc) or make the wrong emphasis in the data source, not destination. It is not a rare exception but rather a rule that a PHP tutorial picked at random from Google, or an Udemy course, would straight up teach you how to make your code critically vulnerable to every possible attack out there. adding site: to your search phrase will limit the search to this site, or site: inurl:/r/php to even a single subreddit! limit your search to the certain site, e.g.Add certain terms, change phrasing or punctuation There are loads of existing information on the web. But the point is, your first approach should be generic, not exceptional. I only have to add that the following set of rules is the generic right way of doing things. And surprisingly, the difference is not in the professional code being more complex but on the contrary - the educational code being more elaborate, at the same time being error-prone and insecure.īut the irony is, following the professional practices doesn't make your code more complex! All you need to do is to learn a few basic principles and it will make your code tidy and secure! And I would say it's one of the biggest problems of PHP community.įor some reason there is a huge gap between a code written "for the education" and a professionally written code. These principles, although being universal, are almost as universally ignored or even violated in virtually every PHP tutorial out there. It turned out that most questions are caused by not following a rather limited set of basic principles. The application logic/display logic separationĭuring a decade of active participation on Stack Overflow I was able to determine a set of reasons that lead to the most frequent questions on Q&A sites.The most important basic principles of web programming
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |