The two most common type of attacks are:
- SQL injection
- XSS
SQL Injection(Senario):
- Hacker can get access to premium section of the website
- Can drop Database
- Can echo all the data on screen
- Can obviously steal confidential data and misue it
Prevention
Use PDO extention when making queries.
The PHP Data Objects (PDO) extension defines a lightweight, consistent interface for accessing databases in PHP. Each database driver that implements the PDO interface can expose database-specific features as regular extension functions. Note that you cannot perform any database functions using the PDO extension by itself; you must use a database-specific PDO driver to access a database server.
PDO provides a data-access abstraction layer, which means that, regardless of which database you're using, you use the same functions to issue queries and fetch data. PDO does not provide a database abstraction; it doesn't rewrite SQL or emulate missing features. You should use a full-blown abstraction layer if you need that facility.
XSS(Senario):
- Hack can steal other uses' cookies
- Can change website look for all other uses
- Can direct user to similar looking website
- Can do pretty much anything that you would do with Javascript
Prevention
Escape everything that you get from user, and escape everything that you display to user. This suspicious code will fail to directly execute on the browser.
Tip: Always Encrypt your data. There's chances you may get hacked even all the preperation. You never want to give hacker access to pain data format.
No comments:
Post a Comment