PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Multiple Tiers in Action
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Secure Software Engineering: Input Vulnerabilities
PHP Security.
Advance web Programming Chapter 3: MySQL Date: 28 April 2014 Advance web Programming Chapter 3: MySQL Date: 28 April 2014 Dr. Mogeeb A. A. Mosleh .
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
Lecture Note 3: ASP Syntax.  ASP Syntax  ASP Syntax ASP Code is Browser-Independent. You cannot view the ASP source code by selecting "View source"
WaveMaker Visual AJAX Studio 4.0 Training Troubleshooting.
CSC 2720 Building Web Applications
Prevent Cross-Site Scripting (XSS) attack
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
SIMPLE ROUTER The slide made by Salim Malakouti. Next we will create the Router  What do I we mean by a router?  Routers work similar to a map. It receives.
IDK0040 Võrgurakendused I harjutus 06: PHP: Introduction Deniss Kumlander.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Lecture 7 Interaction. Topics Implementing data flows An internet solution Transactions in MySQL 4-tier systems – business rule/presentation separation.
Week 7. Lecture 3 PHP Forms. PHP forms In part 2 of this course, we discussed html forms, php form is similar. Lets do a quick recap of the things we.
Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.
Creating Dynamic Web Pages Using PHP and MySQL CS 320.
Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
Database Access with PHP and MySQL CS356 Examples from Web Database Applications, by Hugh E. Williams & David Lane, O'Reilly, 2002.
Web-Based Database Programming with PHP. Dept. of Computing Science, University of Aberdeen2 In this lecture you will learn PHP Basics PHP functions –To.
Introduction.  The scripting language most often used for client-side web development.  Influenced by many programming languages, easier for nonprogrammers.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
Controlling Web Site Access Using Logins CS 320. Basic Approach HTML form a php page that collects the username and password  Sends them to second PHP.
Creating a simple database This shows you how to set up a database using PHPMyAdmin (installed with WAMP)
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
PHP Error Handling Section :I Source: 1.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
PHP Syntax You cannot view the PHP source code by selecting "View source" in the browser - you will only see the output from the PHP file, which is plain.
Text INTRODUCTION TO ASP.NET. InterComm Campaign Guidelines CONFIDENTIAL Simply Server side language Simplified page development model Modular, well-factored,
1 CSC160 Chapter 1: Introduction to JavaScript Chapter 2: Placing JavaScript in an HTML File.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
PHP and Form Processing CS3520. Idea We have an HTML form that when user clicks on it in their browser a CGI HTTP request is created by the browser and.
Radoslav Georgiev Telerik Corporation
Dreamweaver - Forms questionnaire, register, login, etc.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
PHP using MySQL Database for Web Development (part II)
CSCE 548 Student Presentation Ryan Labrador
Tonga Institute of Higher Education IT 141: Information Systems
Introduction to Dynamic Web Programming
PHP Introduction.
MIS Professor Sandvig MIS 324 Professor Sandvig
Database Driven Websites
Web Systems Development (CSC-215)
PHP: Security issues FdSc Module 109 Server side scripting and
Tonga Institute of Higher Education IT 141: Information Systems
PHP and Forms.
Tonga Institute of Higher Education IT 141: Information Systems
Tutorial 6 PHP & MySQL Li Xu
Database Access with PHP and MySQL
Mr. Justin “JET” Turner CSCI 3000 – Fall 2016 Section DA MW 4:05-5:20
Presentation transcript:

PHP Error Handling & Reporting

Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions to be displayed to the public. Any error messages viewable by the public should be customised (confidential information stripped out) and made to look more user-friendly Information returned by mysql_error() and mysql_errno() functions may expose vulnerabilities of the server, providing a means of attacking it. In a production environment, scripts should be written to display a user friendly custom error message not revealing information about the PHP scripting engine or the MySQL database. A script can be included to write the error code and error message to a log file in a secure area (not in the public accessible folders)

Default error messages In this example an attempt is made to divide by 0 (impossible), and an error message appears when the script is parsed The error message exposes the location of the file in the server’s directory structure to visitors or potentially any hackers.

set_error_handler() function A customised error function creates a less intrusive error message and hides confidential information from potential hackers. The set_error_handler function is used to customise how error reporting occurs Screen output:

Error Reporting Level Setting the error reporting level to 0 switches error reporting off. In this example, dividing 3 by 0 is impossible and would normally throw an error. In this case the error reporting level is set to 0 so the error is not exposed The calculation does not take place.

What to do with error information? Save the error to a database or to a local text file Redirect the user to another page Provide a user-friendly customised error message to avoid putting people off the website Store the date/time of the error Write a script to errors to the web master Best Practices? Always avoid errors being displayed in the live environment (public) If errors occur in the script when run, make sure the errors are logged somewhere secure. Best practice is to avoid errors occurring in the first place

Form Validation Validate user input – this reduces the risk of being hacked. PHP scripts used to validate user input are server –side and more secure than JavaScript form validation scripts JavaScript can be turned off in the browser by the user, rendering JavaScript ineffective.

htmlspecialchars() The htmlspecialchars() function converts special characters to HTML entities. This means that it will replace HTML characters like with < and >. This prevents attackers from exploiting the code by injecting HTML or Javascript code (Cross-site Scripting attacks) in forms ">

File uploads To prevent the user uploading a file such as an executable or a file that could be a security risk, add an IF statement to validate user input. For example, restrict the user to uploading only GIF or JPG files. To use or, use the || characters.

Error Control Place in front of the variable name to tell server to ignor error if it occurs. E.g. if user user has not inputted their name on a form, the variable $name will not exist, so symbol ignors this.

.htaccess Use.htaccess to restrict folder access Username: alansebrill Password:journey Encrypted algorithm: alansebrill:$apr1$9.m5dEw/$CkD0Nwueiiv0JpmYbXlTr0