Database Security
Many websites fall under the attack known as SQL Injection. SQL injection occurs when a malicious user experiments on a form to gain information about a database. After gaining sufficient knowledge, usually from database error messages the attacker is equipped to exploit the form for any possible vulnerabilities by injecting SQL into form fields. With SQL Injection a hacker can retrieve your data, insert, delete, basicly can do anything with your database.
A very common example is:
<?php
$username = $_POST['username'];
query = "SELECT * FROM users WHERE username= $username";
?>
Here it is easy for a hacker to try and experiment with your form by giving it statements such as 'OR 1' or 'SELECT username'.
This is easily fixable by using mysql_real_escape_string. What this does is take a string that is going to be used and return the same string with all SQL Injection attempts safely escaped. It will replace those troublesome quotes(') a user might enter with \'.
Example:
<?php
$username = $_POST['username'];
$username = mysql_real_escape_string($username);
query = "SELECT * FROM users WHERE username= $username";
?>
It is always best to make sure that whenever user input is required to use mysql_real_escape_string to ensure that whatever has been given is clean and won't harm your application. Remember NEVER TRUST USER INPUT!
Session Security
Mainly there are 2 types of session hacking, Session Fixation and Session Hijacking. When a user first encounters a page in your application that calls session_start(), a session is created for the user. PHP generates a random session identifier to identify the user, and then it sends a Set-Cookie header to the client. By default, the name of this cookie is PHPSESSID, but it is possible to change the cookie name in php.ini or by using the session_name() function. On subsequent visits, the client identifies the user with the cookie, and this is how the user's data is recalled.
It is possible to set the session identifier through manual input this way a hacker is able to "ride" a session.
An example of this is:
http://yourdomain.com/index.php?PHPSESSID=283
An easy way of preventing this from happening is to regenerate your sessions id every time a user logs in.
Example:
<?php
session_start();
// A user just logged in now call the session_regenerate_id() function
{
session_regenerate_id();
}
?>
This is a quick way to protect your site from any would be hacker. Unfortunately it doesn't protect your site from Session Hijacking, this happens when the person discovers another's session id rather than providing his own. So we would have to identify the person using the session to prevent this. One way of doing this is by using the User-Agent request header. Because it is highly unlikely that a user will change browsers using the same session we'll use this header to identify our user.
When a user logs in identify their User-Agent:
<?php
session_start();
// A user just logged in now call the session_regenerate_id() function
{
session_regenerate_id();
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
}
?>
Now to prevent our would be hacker from accommodating our session we'll have to check the User-Agent every now and then. Call this up on subsequent pages or every page if you prefer:
<?php
if ($_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT'])
{
// Bye now Mr hacker
session_destroy();
exit;
}
?>
Implementing these easy techniques are the best route to go for protecting your applications from malicious attacks. Next time we'll discuss protecting your Filesystem and protection from Cross-Site Scripting better known as XSS. Enjoy!
discuss this topic to forum
