Check points of security for your web apps

連載:なぜPHPアプリにセキュリティホールが多いのか?

There is some articles about the security of web application.The article title is “Why there are a lot of security holes in PHP applications.” But the articles are described how to avoid security hole on your web apps. It’s more conceptual than PHP specific know how.

I pick up some points from these articles.

SQL injection
There are 2 ways to prevent SQL injection according to the article.

  • Escape all variables
  • Execute all query as prepared query

He reccomend to use prepared query.

Script injection
There are 10 check items to prevent script injection (for PHP).

  • Define default character code (default_charset) in HTTP header
  • Verify character code against input values
  • Have strict validation rule against input values
  • Escape output strings as default
  • Make sure that the output strings is safe if you output the strings as is
  • Do not allow any HTML tags in strip_tags()
  • Do not use regular expression to parse HTML
  • Verify strings with strict “white list” if you output HTML tags and/or attributes
  • Verify strings with strict “white list” if you generate CSS dynamically with input values
  • Verify strings with strict “white list” if you generate Javascript dynamically with input values
Advertisements
Check points of security for your web apps

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s