Presentation is loading. Please wait.

Presentation is loading. Please wait.

PHP: Security issues FdSc Module 109 Server side scripting and

Published byMaud Lane Modified over 6 years ago

Similar presentations

Presentation on theme: "PHP: Security issues FdSc Module 109 Server side scripting and"— Presentation transcript:

1 PHP: Security issues FdSc Module 109 Server side scripting and
Database design 2011

2 Rule Number One Never, Ever, Trust Your Users Assume:
Every single piece of data your site collects from a user contains malicious code Always That includes data you think you have checked with client-side validation, for example using JavaScript because JavaScript can be disabled The data may not be coming from your form

3 SQL injection Using a security hole to run SQL queries on a database
Typical login query: $check = mysql_query("SELECT Username, Password FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'"); If the entered user name is ' OR 1=1 # then a different query is run

4 SQL injection SELECT Username, Password FROM Users WHERE Username = '' OR 1=1 #' and Password = '‘ This will return all the user names and passwords from the database! The first entry is likely to be the admin user!! How does this work? The # symbol tells MySQL that what follows is a comment, so it won’t execute As 1 always = 1 it evaluates as TRUE, so the OR part is TRUE and the statement effectively becomes: SELECT Username, Password FROM Users

5 SQL injection - solution
mysql_real_escape_string This  escapes special characters in a string Escaping in PHP means that you place a \ in front of a character so that it is interpreted as text and not a command It will escape: \x00 \n \r \ ‘ “ \x1a

6 SQL injection - solution
function make_safe($variable) { $variable = mysql_real_escape_string(trim($variable)); return $variable; } This will escape command characters and remove excess space characters $username = make_safe($_POST['username']); Makes the unsafe '' OR 1=1 #' become '\' OR 1=1 #' and very few people have a username of \' OR 1=1 #

7 Password protection Passwords must not be stored in clear text
They must be protected by hashing Hash algorithms turn any amount of data into a fixed- length checksum that cannot be reversed hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1 fa7425e b9824 hash("hbllo") = c05c68dfac fad6a93f8146f337 a69afe7dd238f if the input changes by even a tiny bit, the resulting hash is COMPLETELY different

8 Password protection The password is hashed and stored in the database. At no point is the unhashed user's password ever stored When the user attempts to login, the hash of the password they entered is checked against the hash in the database. If the hashes match, the user is granted access. If not, the user is told they entered an incorrect password.

9 Password protection Hashed passwords are not secure
Dictionary or brute force Try words or combinations until a match is found Lookup table Store each word:hash pair from a dictionary and then compare each hash Rainbow table A combination of lookup table and brute force

10 Password protection Top 10 passwords in 180,00 (hacked file) 123456
qwerty abc123 12345 monkey 111111 consumer letmein

11 Password protection Use a “salt” to add additional protection
A salt is a string of random characters that gets appended to the password before hashing If the password is , the hash is known If the password is Uwqe2uXdSKpAA the hash is not known

12 Password protection The way it works is: Generate a long random salt
Hash the password joined to the salt Save the hash and the salt in the database. To validate a password: Get the hash and salt for that user from the database. Compute the hash of the password they tried to login with joined with the salt Compare the two If they are EXACTLY the same, then the password is valid. If there is any difference, then the password is invalid.

13 Password protection Practical example using SHA (no salt)
SHA() creates a one way encrypted string of exactly 40 characters Define the password field in a user table as CHAR(40) Assume a users table with fields for userID, firstname, lastname and password

14 Password protection Syntax:
INSERT INTO users (firstname, lastname, password) VALUES ('Arthur', 'Smith', SHA('password'); SELECT userID FROM users WHERE firstname = 'Arthur' AND password = SHA('password');

15 Password protection To use a salt investigate:
AES_ENCRYPT ('password', 'salt') AES-DECRYPT ('password', 'salt')

16 Input validation Firstly: Check that something has been entered
Secondly Make sure it is the right type

17 Input validation Use the empty() function to check for a blank entry
if(empty($_POST['userName'])==FALSE ) { $userName = $_POST['userName']; } else echo 'Username is not set'; exit();

18 Numeric validation Rating is required to be number between 1 and 5
is_numeric checks it is a number <?php if(isset($_POST[“lRating"])) { $number = $_POST[“Rating"]; if((is_numeric($number)) && ($number > 0) && ($number < 6)) echo "Selected rating: " . $number; // Write the rating to the database here } else echo "The rating has to be a number between 1 and 5!"; ?>

19 Cross site scripting The most basic form of cross site scripting (XSS) is to put some JavaScript in user- submitted content (eg a blog post or comment field) <SCRIPT>Dosomethingmalicious</SCRIPT> Steal the data in a user's cookie or session Use cookie and session data to impersonate the user

20 Cross site scripting The htmlentities function: <?php
htmlentities($variable, ENT_QUOTES); ?> will convert HTML special characters into HTML literals So <STRONG>Bold Text</STRONG> normally displays as Bold Text But after using htmlentities displays as <STRONG>Bold Text</STRONG> which cannot be executed

21 Summary Security measures are: Counteract SQL injection
Protect passwords Validate input Counteract cross site scripting Marks available in assignment 2 Validation techniques used (5%) Security methods implemented (5%)

Download ppt "PHP: Security issues FdSc Module 109 Server side scripting and"

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
PHP Security.

PHP Security.
Web forms in PHP Forms Recap  Way of allowing user interaction  Allows users to input data that can then be processed by a program / stored in a back-end.

Web forms in PHP Forms Recap  Way of allowing user interaction  Allows users to input data that can then be processed by a program / stored in a back-end.
PHP : Hypertext Preprocessor

PHP : Hypertext Preprocessor
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Sofia, Bulgaria | 9-10 October Writing Secure Code for ASP.NET Stephen Forte CTO, Corzen Inc Microsoft Regional Director NY/NJ (USA) Stephen Forte CTO,

Sofia, Bulgaria | 9-10 October Writing Secure Code for ASP.NET Stephen Forte CTO, Corzen Inc Microsoft Regional Director NY/NJ (USA) Stephen Forte CTO,
Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.

Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.
Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.

Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.

School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
PHP Workshop ‹#› PHP Security. PHP Workshop ‹#› Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER 2.ESCAPE.

PHP Workshop ‹#› PHP Security. PHP Workshop ‹#› Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER 2.ESCAPE.

Similar presentations

Ads by Google