Case Studies on PHP Website Security from XSS Attack and Sql Injection
XSS (Cross Side Scripting) is a way to enter tag/script HTML (injection) in to website for disrupt thats website.
Example attack with XSS: entered HTML or Javascript Code in some form, such like Comment Form. entered comment like this
if thats website don't have XSS filtering, when the comment appear, the alert script will working.In PHP there are so many function, where we can use for xss attack filtering, and we can combiine to make own xss filtering function
SQL Injection is a technic for manipulation sql command ..
Example Sql Injection in login form with " 'OR 1=1;// " , thats logic will like this
the logic is true, and whos ever can enter, ok lets make anti sql injection with PHP.
Example attack with XSS: entered HTML or Javascript Code in some form, such like Comment Form. entered comment like this
I want to enter comment with <script>alert('this xss attack'); </scipt>
if thats website don't have XSS filtering, when the comment appear, the alert script will working.In PHP there are so many function, where we can use for xss attack filtering, and we can combiine to make own xss filtering function
function xss_filtering($text) {
$f = stripslashes (strip_tags (htmlspecialchars ($text, ENT_QUOTES)));
return $f;
}
$text_comment = xss_filtering($_POST['comment']);
Example Sql Injection in login form with " 'OR 1=1;// " , thats logic will like this
SELECT * FROM user_table WHERE username=' ' OR 1=1;// ' AND password ='anything';
the logic is true, and whos ever can enter, ok lets make anti sql injection with PHP.
function sql_injection_filtering($data){
$filter = mysql_real_escape_string($data);
return $filter;
}
$username = sql_injection_filtering($_POST['username']);
$password = sql_injection_filtering($_POST['password']);
if (!ctype_alnum($username) OR !ctype_alnum($password)){
echo "Only alpha numeric";
} else {
echo "Login Succes";
}
No comments for "Case Studies on PHP Website Security from XSS Attack and Sql Injection"
Post a Comment