It would be a hard decision for me to write down this essay.But I still want to express some security opinion and give the solution for some attack that I used to do.
SQL Injection
When I learned PHP last term, I just only finished a simple web application and ensured the ability it should have.But it is really dangerous leaving web application without any other defences.You see, something with SQL could be attacked by some sneaky tricks.
Considering a situation that I make a platform for users to join a competition, and at first they should apply but the privilege field in database that for users logining in platform is 0(same as false), I may change it to 1 few days later.
And if I design my table structure like this(I use mysql):
CREATE TABLE EXAMPLE (
ID INTEGER UNSIGNED NOT NULL AUTO_INCREMENT,
USERNAME VARCHAR(40) NOT NULL,
PASSWORD VARCHAR(40) NOT NULL,
PRIVILEGE TINYINT(1) DEFAULT 0,
PRIMARY KEY (ID)
);
And my form page receives datas which are posted and immediately inserted into database without any filter:
$username = $_POST['username'];
$pwd = $_POST['password'];
//..some database connection codes
$query = "INSERT INTO EXAMPLE VALUES('$username', '$pwd', 0)";
//$dbc is a mysql connection return
mysqli_query($dbc, $query);
//any other codes
If someone put passwor', 1) -- into password field, the sql query will be
INSERT INTO EXAMPLE VALUES('someone', 'password', 1) -- ', 0), and the double-hyphen comment causes the rest of the line of SQL code to be ignored!Hence,
his privilege will be 1.And this attack is known as an SQL Injection.
And something we could do to defense it is filter any datas that user can write into database, an example defence:
$username = mysqli_real_escape($dbc, trim($_POST['username']));
$pwd = mysqli_real_escape($dbc, trim($_POST['password']));
Sure, you can alse use regular expression to filter it.Besides, the privilege field could be designed to DEFAULT 0 so that it would not be inserted any more, or just revoke the INSERT privilege(field) privilege in mysql for users, like we will talk below.
Mysql privileges
Like some other man, I used Mysql as my database to store datas in my all project.
But I am not professional, just use it to combine with PHP.
I didn't care the mysql privileges when I executed a sql statement, just let it runned as I expected.
And now I realized the big potential problem that I have made. I didn't set privileges accurately for mysql users.
Above example again.This time we create another mysql user named user_example at begin.And we could set this mysql user only few privileges when users apply:
//[...] should be replaced depends on you
GRANT INSERT(`USERNAME`, `PASSWORD`) ON `[database]`.`EXAMPLE`
TO `user_example`@[ip_address];
Like this, users will not be able to do something like INSERT privilege field into database.And if you have a backstage to manage platform, you may also set the second mysql user privilege accurately, just use two mysql users and ensure their respective privilege in your web application, accurating privileges to your every table field.And it means a lot about security to your web application.
CSRF && Token defense
Cross-site request forgery, which exploits the trust that a site has in user's browser.
The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have been authenticated.
I am sorry that I know little about it.But you could learn it more on wiki.Have fun!
End
Nothing is ever truly 100% secure, so we are always talking about degrees of security.The above three points may let you realize the security about your web application, and just try to make preventions to protect it!