Welcome to my Intro to Security in PHP tutorial.
Today, we will be going over some very common, and easy-to-master tactics that novice to intermediate hackers will learn
once they become serious about learning how to hack.
So, here's the agenda (it is in order from easiest to hardest):
General Tips on writing secure code
What is XSS?
Halting XSS with the "Escape" function
What is SQL Injection?
Stopping SQL Injection with the "mysqli_tgb" mysqli extension class
This is going to be a big tutorial, so get your drink, turn on some tunes and read away!
Alright, first on the agenda:
===
General Tips on Writing Secure Code
===
Here's a list of things to keep in mind when you code:
1. User Input ***CAN NOT BE TRUSTED***
2. It is better to have longer code that you will understand in a year than having code that is short but isn't readable.
3. It is better to comment all over than to not comment at all. Trust me, if you comment, it will save your butt in the future (I know that one very well).
4. Filter in, escape out (you will learn about that one here in a second).
===
What is XSS?
===
XSS is Cross Site Scripting. In easy terms, it is when user x writes Javascript into your website's textbox; then, when user Y sees it, that javascript runs.
This can create all kinds of chaos, like what happened to MySpace in 2005: http://en.wikipedia.org/wiki/Samy_(XSS)
This worm was really nasty! It started on the author's page. When someone viewed his page (Samy Kamkar), then they would automatically send him a friend request,
posts "Samy is my hero" to their wall (or whatever myspace calls it), all without the user knowing. Whenever someone views their wall, they get the same curse.
So, it is a tree: Started on Samy's wall, went to his girlfriend's and other friend's, then his friends of friends viewed his friends' walls, which carried the
same javascript.
Things could have been worse, though. You may know that javascript can redirect users to different pages.
So, the only way to stop it was to do the thing I am about to show you all to the actual PHP script which showed the user's wall.
===
Halting XSS with the "Escape" function
===
XSS is horrible, as described in the last paragraph. I will show you the function to "Escape" the output to make sure this doesn't happen. It is up to you,
however, to use this function whenever you display output. I will also show an example.
Code: Select all
function escape($t) {
return htmlentities($t,ENT_QUOTES);
}
So, & becomes & and < becomes < and > becomes > You get the point.
This also applies to the " quotation marks.
Here's a test example without the escape function, so you can see why it is useful (note that some browsers may detect an XSS attack, and will warn you. At least I know chrome does, sometimes).
Code: Select all
<html>
<body>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<input type="text" name="inp" />
<input type="submit" value="Attempt XSS!" />
</form>
<?php if (isset($_POST['inp'])) {
echo $_POST['inp'];
} ?>
</body>
</html>
Code: Select all
<a href="http://www.google.com/">Login to this Website!</a>
This link could take you to any site, but it doesn't have to take you to where it says it's taking you.
So, say I submitted a form with that link, and maybe made it more malicious; say, it takes the user to a fake login page that dumps the user's credentials into a hacker database. (Phishing)
The user clicks on the link, which is supposed to take you to a login page for this site, but instead takes you to the malicious page. THIS IS BAD!
Here's how we fix that (there are other options, like BBCode, but I will get into those in another tutorial):
Code: Select all
<?php
//added this function!
function escape($t) {
return htmlentities($t,ENT_QUOTES);
}
?>
<html>
<body>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<input type="text" name="inp" />
<input type="submit" value="Attempt XSS!" />
</form>
<?php if (isset($_POST['inp'])) {
///Added in here!
echo escape($_POST['inp']);
} ?>
</body>
</html>
Try entering the same code in, and see what happens!
Thanks For Reading!
Luke