Writing secure code

Writing secure code by Dmitry Dulepov

Security is the issue

You are responsible

You must not fail

Write secure code now!

3 attacks

SQL injection: how

SQL injection: how index.php?id=1

SQL injection: how index.php?id=1 “SELECT * FROM pages WHERE ” . “id=’” . $_GET[‘id’] . “‘“

SQL injection: how index.php?id=1 “SELECT * FROM pages WHERE ” . “id=’” . $_GET[‘id’] . “‘“ index.php?id=1’;DELETE FROM be_users’

SQL injection: how index.php?id=1 “SELECT * FROM pages WHERE ” . “id=’” . $_GET[‘id’] . “‘“ index.php?id=1’;DELETE FROM be_users’ “SELECT * FROM pages WHERE ” . “id=’1‘;DELETE FROM be_users ‘’“

SQL injection: the ﬁx

SQL injection: the ﬁx “SELECT * FROM pages WHERE ” . “id=” . $GLOBALS[‘TYPO3’]-> fullQuoteStr($id, ‘pages’)

SQL injection: the ﬁx “SELECT * FROM pages WHERE ” . “id=” . $GLOBALS[‘TYPO3’]-> fullQuoteStr($id, ‘pages’) “SELECT * FROM pages WHERE ” . “id=” . intval($id)

Cross–site scripting: how

Cross–site scripting: how Comment: I agree! <script src=”http://example.com/ evil-script.js”> </script> Submit

Cross–site scripting: the x

Cross–site scripting: the x htmlspecialchars($comment)

Cross–site request forgery: how

Cross–site request forgery: how <img src=”http://yourbank.com/ transfer? to_account=DE25LALA1234567890& amount=4000& currency=EUR” />

Cross–site request forgery: the x

Cross–site request forgery: the x • _POST • random number

Cross–site request forgery: the x • _POST • random number • Salted magic value • Captcha

Remember about security

Make customers happy!

Writing secure code

by Dmitry Dulepov on May 16, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 17

Statistics

Writing secure code — Presentation Transcript

http://underpop.free.fr	10
http://www.slideshare.net	7