Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Slides:

Advertisements

Similar presentations

Web Security Never, ever, trust user inputs Supankar.

Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

Introduction The concept of “SQL Injection”

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

Crawler-Based Search Engine By: Bryan Chapman, Ryan Caplet, Morris Wright.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

PHP Server-side Programming. PHP  PHP stands for PHP: Hypertext Preprocessor  PHP is interpreted  PHP code is embedded into HTML code  interpreter.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

MS3304: Week 4 PHP & HTML Forms. Overview HTML Forms elements refresher Sending data to a script via an HTML form –The post vs. get methods –Name value.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.

My final project was creating an online weapon store. In my store I have two different lists of weapons, melee and fire. I have a registration form where.

Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.

1. Connecting database from PHP 2. Sending query 3. Fetching data 4. Persistent connections 5. Best practices.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

PHP Workshop ‹#› PHP Security. PHP Workshop ‹#› Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER 2.ESCAPE.

Database Access with PHP and MySQL CS356 Examples from Web Database Applications, by Hugh E. Williams & David Lane, O'Reilly, 2002.

Internet Information Systems Writing to Databases and Amending Data.

PHP2010/11 : [‹#›] PHP Security. PHP2010/11 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER.

Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

SecurityPHPApril 2010 : [‹#›] PHP Security. SecurityPHPApril 2010 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less.

Chapter 9 Building the Shopping cart Objective Creating Shopping cart using session Variable. Creating a shopping cart using a database table. Use the.

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

If statements and validation. If statement In programming the if statement allows one to test certain conditions and respond differently depending on.

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

Security Considerations Steve Perry

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Form Handling IDIA 618 Fall 2014 Bridget M. Blodgett.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Since you’ll need a place for the user to enter a search query. Every form must have these basic components: – The submission type defined with the method.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Preventing MySQL Injection Sonja Parson COSC 5010 Security Presentation April 26, 2005.

Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.

INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Chapter 13 Security Methods Part 2. xss.php Script 13.4 on page 419 ss.php

ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.

Radoslav Georgiev Telerik Corporation

SQL Injection. Who Am I? Sean Taylor Computer Science major Software developer Web developer Amateur hacker.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

SQL Injection Attacks.

Group 18: Chris Hood Brett Poche

Introduction to Dynamic Web Programming

Example – SQL Injection

SE604: Software Testing and QA Secure SW Development for QA Lecture#3

Computer Security Fundamentals

Performance and User Experience Improvements to the ASU/NASA Space Grant Website

ISC440: Web Programming 2 Server-side Scripting PHP 3

CSE 154 Lecture 26: web security.

Web Systems Development (CSC-215)

PHP: Security issues FdSc Module 109 Server side scripting and

Chapter 13 Security Methods Part 2.

Lecture 2 - SQL Injection

Lecture 27 Security I April 4, 2018 Open news web sites.

Presentation transcript:

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND pass = ‘$pass’; Someone enters anything’ or 1=1# $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘anything’ OR 1=1#’ AND pass = ‘ ’; the results you lose everything in your database ~ how to prevent injection this function will remove any magic quotes added to a user in-putted string and then properly sanitize it for you – magic quotes are a built-in feature in php which automatically escape any characters such as a single and double quotes by prefacing them with a backslash (\)

Using Placeholders Idea is to predefine a query using ? Characters where the data appears Then instead of calling a MySQL query directly, you call the predefined one This ensures that every item of data entered is inserted directly into the database and cannot be interpreted as SQL queries.\ Once you have prepared a statement you can use it as often as you wish until you deallocate it. ~using placeholders with PHP

Preventing HTML Injection occurs when you allow HTML to be input by a user and then displayed back by your website one of the most common threat in HTML injection is that a malicious user will write the code that steals cookies from your site’s users prevent this by simply calling the htmlentities function, which strips out all HTML markup codes and replaces with a form that displays the characters not allowing a browser to act on them. ~ example for preventing both SQL and XSS injections