Hướng dẫn dùng php sanitize trong PHP
Ngày đăng:
03/12/2022
Trả lời:
0
Lượt xem:
84
Show Potential security threatsThey are basically two groups of people that can attack your system
PHP Application Security Best PracticesLet’s now look at some of the PHP Security best practices that we must consider when developing our applications.PHP strip_tagsThe strip_tags functions removes HTML, JavaScript or PHP tags from a string. This function is useful when we have to protect our application against attacks such as cross site scripting. Let’s consider an application that accepts comments from users.My Commenting System"; echo $user_input; ?>Assuming you have saved comments.php in the phptuts folder, browse to the URL http://localhost/phptuts/comments.php Let’s assume you receive the following as the user input alert('Your site sucks!');"; echo "Browse to the URL http://localhost/phptuts/comments.php Let’s now secure our application from such attacks using strip_tags function. alert('Your site sucks!');"; echo strip_tags($user_input); ?>Browse to the URL http://localhost/phptuts/comments.php PHP filter_var functionThe filter_var function is used to validate and sanitize data. Validation checks if the data is of the right type. A numeric validation check on a string returns a false result. Sanitization is removing illegal characters from a string. Check this link for the complete reference filter_var The code is for the commenting system. It uses the filter_var function and FILTER_SANITIZE_STRIPPED constant to strip tags.alert('Your site sucks!');"; echo filter_var($user_input, FILTER_SANITIZE_STRIPPED); ?>Output: alert('Your site sucks!');Mysql_real_escape_string function This function is used to protect an application against SQL injection. Let’s suppose that we have the following SQL statement for validating the user id and password.A malicious user can enter the following code in the user id text box. ' OR 1 = 1 -- And 1234 in the password text box Let’s code the authentication moduleThe end result will be SELECT uid,pwd,role FROM users WHERE uid = '' OR 1 = 1 -- ' AND password = '1234';HERE,
SELECT uid,pwd,role FROM users WHERE uid = '\' OR 1 = 1 -- ' AND password = '1234';Note the second single quote has been escaped for us, it will be treated as part of the user id and the password won’t be commented. PHP Md5 and PHP sha1Md5 is the acronym for Message Digest 5 and sha1 is the acronym for Secure Hash Algorithm 1. They are both used to encrypt strings. Once a string has been encrypted, it is tedious to decrypt it. Md5 and sha1 are very useful when storing passwords in the database. The code below shows the implementation of md5 and sha1Assuming you have saved the file hashes.php in phptuts folder, browse to the URL As you can see from the above hashes, if an attacker gained access to your database, they still wouldn’t know the passwords for them to login.Summary
|