SQL injection
SQL injection is a malicious attack that affects normal SQL execution by entering SQL statements in form fields.
Ways to prevent
- Use mysql_real_escape_string(), or addslashes() to filter data
- Manually check that each data is of the correct data type
- Use preprocessed statements and bind variables
- Use prepared preprocessed statements
- Separate data from SQL logic
- Preprocessed statements will be filtered automatically (e.g., escape)
- Using it as a coding specification can help newcomers to your team avoid these problems
Preprocessed statements have two main advantages over directly executing SQL statements
- The preprocessed statement greatly reduces the analysis time, making only one query (although the statement is executed multiple times).
- Binding parameters reduces server bandwidth because you only need to send the parameters of the query, not the entire statement.
- Preprocessing statements are useful for SQL injection because parameter values are sent using different protocols, ensuring data validity.
In PHP, there are two main ways to use preprocessed statements
- Use the mysqli database
- Use the PDOStatement class object
Queries need to be parsed (or prepared) only once, but can be executed multiple times with the same or different parameters. When the query is Prepared, the database analyzes, compiles, and optimizes its plan for executing the query. For complex queries, this process can take up a lot of time and slow down your application if you have to repeat the same query with different parameters many times. By using a preprocessed statement you can avoid repeating analysis, compilation, and optimization. Simply put, preprocessed statements use fewer resources and are faster to execute.
Server measures
- The magic_quotes_gPC option is enabled on most virtual hosts. In this case, all client GET and POST data will be automatically addslashes. Therefore, SQL injection of string values is not feasible. But avoid SQL injection of numeric values, such as intval(). But if you’re writing general-purpose software, you’ll need to read magic_quotes_gPC from the server and do something about it.
XSS attacks
XSS(Cross-site scripting attack) is an attack in which the user enters some data into your site, including client-side scripting (usually JavaScript). If you output data to another Web page without filtering, this script will be executed.
Ways to prevent
Htmlspecialchars () is used for illegal HTML code including single and double quotes and so on.
Notice the second argument when using htmlspecialchars(). If you use htmlspecialchars($string), the second argument is ENT_COMPAT by default. By default, the function only converts double quotes (“) and does not escape single quotes (‘).
So htmlspecialchars more often takes a second argument, which should be: htmlspecialchars(string,ENT_QUOTES). Of course, if you want to not convert quotes, use htmlspecialchars(string,ENTQUOTES). Of course, if you don’t want to convert quotes, use htmlspecialchars(string,ENT_NOQUOTES).
In addition, use htmlentities as little as possible. Htmlentities and HTMLspecialchars are the same in all English. However, in the case of Chinese, HTMLentities will convert all HTML code, as well as any Chinese characters it can’t recognize.
Htmlentities and htmlspecialchars don’t work well with strings like ‘, so htmlentities and htmlSpecialchars only prevent XSS attacks, not SQL injection attacks.
Code injection
Code injection is caused by processing invalid data by exploiting a computer vulnerability. The problem is when you accidentally execute arbitrary code, usually through file inclusion. Poorly written code can allow a remote file to be included and executed. Many PHP functions, such as require, can contain urls or file names
Ways to prevent
-
Filtering user input
-
Allow_url_fopen and allow_url_include are set to be disabled in php.ini. This will disable remote files for require/include/fopen.
