Web application security


Published on

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Web application security

  1. 1. Preventing Multiple Submissions Pengaturcaraan PHPPengaturcaraan PHPMore Secure Form ValidationThe golden rule of validating any data received by a PHP page is toassume that its invalid until it passes the right tests indicatingotherwise. At a bare minimum, you shouldUse the superglobals (e.g., $_POST[name]) rather than theregistered globals ($name).Check text, password, and text area form inputs for values usingempty().Check other form inputs for values using isset(). 1
  2. 2. Pengaturcaraan PHP A better way to validate data is to see if it conforms to a certain type (like an integer). An even more exacting method of form validation requires the use of regular expressions. You can also use JavaScript to perform basic validation on the client (within the Web browser) before the data is sent to the server.Pengaturcaraan PHPA common question I see is how to prevent someone from submitting thesame form multiple times. Whether a user repeatedly submits a form onaccident or on purpose, such occurrences can be a minor nuisance or amajor problem for your Web site. There are many different ways toprevent multiple submissions, and Ill discuss two options here. 2
  3. 3. Pengaturcaraan PHPFirst, if you are already using sessions, an easy solution is to create asession variable indicating whether a specific form has been submitted ornot.Pengaturcaraan PHPThe premise is this: a generated identifier will be stored in the HTML form(as a hidden input). This value will be inserted into the database along withthe other submitted information. To prevent repeated submissions, thisidentifier can be stored in the database only once. A user wishing to submitthe form again will have to reload the HTML form so that another uniqueidentifier is created 3
  4. 4. Pengaturcaraan PHPPengaturcaraan PHP 4
  5. 5. Pengaturcaraan PHPPengaturcaraan PHP 5
  6. 6. Pengaturcaraan PHP Validating the Right FormPengaturcaraan PHP 6
  7. 7. Pengaturcaraan PHPStep 2After the initial PHP tag, define what form inputs are expected.Pengaturcaraan PHP Step 3 Assign the received variable names to a new array. 7
  8. 8. Pengaturcaraan PHP Step 4 Create a conditional that checks if the two arrays are the same.Pengaturcaraan PHPStep 5After the mysql_close() line, complete the $allowed == $receivedconditional 8
  9. 9. Pengaturcaraan PHP Validating DataPengaturcaraan PHP 9
  10. 10. Pengaturcaraan PHP For the most part, form validation is rather minimal, often just checking if a variable has any value at all. In many situations, this really is the best you can do. Pengaturcaraan PHPPHP supports many types of data: strings, numbers (integers and floats),arrays, and so on. For each of these, theres a specific function that checks if avariable is of that type. You may already be familiar with the is_numeric()function, and is_array() is a great for confirming a variables type beforeattempting to use it in a foreach loop. Function Checks For is_array() Arrays is_bool() Booleans (TRUE, FALSE) is_float() Floating-point numbers is_int() Integers is_null() NULLs is_numeric() Numeric values, even as a string (e.g., "20") is_resource() Resources, like a database connection is_scalar() Scalar (single-valued) variables is_string() Strings 10
  11. 11. Pengaturcaraan PHP Step 3 Cast all the variables to a specific type. JavaScript Form ValidationPengaturcaraan PHP 11
  12. 12. Pengaturcaraan PHPJavaScript is not a true securitymeasure in itself, but rather anadded level of security and aconvenience to your users. BecauseJavaScript is a client-side technology(whereas PHP is server-side),incorporating it into your pages cansave users the hassle of having tosend the form data back to theserver before seeing if there areproblems.Instead, you can use JavaScript toimmediately run through some testsand then, if the data passes, sendthe form information along to PHP.Pengaturcaraan PHP 12
  13. 13. Pengaturcaraan PHPStep 2Create a JavaScript section and begin a functionPengaturcaraan PHPStep 3Validate that the user entered a name. 13
  14. 14. Pengaturcaraan PHPStep 4Repeat the process forthe email address andthe URL.Pengaturcaraan PHP Step 5 Validate that a URL category was selected. 14
  15. 15. Pengaturcaraan PHP Step 7 Complete the HTML head, begin the body, and start the form.Pengaturcaraan PHPAlternatively, you can check for empty fields by seeing if their length —the number of characters entered — is less than or equal to 0. The codewould be: 15
  16. 16. Database Security and Encryption Pengaturcaraan PHPPengaturcaraan PHPEncryptionMySQL has several encryption and decryption functions built into thesoftware. You should be familiar with the SHA() function, which is often usedto encrypt passwords stored in a database. Another function, ENCRYPT(),is like SHA() in that it encrypts a string but differs in that you can add a saltparameter to help randomize the encryption process. 16
  17. 17. Pengaturcaraan PHPBoth the SHA() and ENCRYPT() functions create an encrypted string thatcannot be decrypted. This is a great safety feature because it means thatstored information cannot be retrieved in readable form.Pengaturcaraan PHP If you require data to be stored in an encrypted form that can be decrypted, youll need to use either ENCODE() and DECODE() or AES_ENCRYPT() and AES_DECRYPT(). These functions also take a salt argument, which helps to randomize the encryption. 17
  18. 18. Pengaturcaraan PHPPengaturcaraan PHPWhile using ENCRYPT() and DECRYPT() can add a level of security toyour Web applications by encrypting and decrypting sensitive data, theresstill room for improvement. For starters, the AES_ENCRYPT() function is amore secure option and is recommend if you are using MySQL 4.0.2 orlater. Its syntax is the same as that of the ENCODE() function: 18
  19. 19. EndPengaturcaraan PHP 19