Entries tagged "security"
When passing row IDs between pages, it's a good idea to check the value is what you expect. Values which could be tampered with by the user need to validated and sanitized. So, if an ID is supposed to be a number, we should make sure it is before running the database query. Let's discuss some options for checking for numbers. Continue reading →
When managing websites, keep in mind that the Internet doesn't sit still. That PHP script written 10 years ago probably has a thing or two needing to be updated. There may be security issues, outdated code, etc. In addition to the evolution of programming / scripting languages, you as a developer have likely changed. Your coding practices are likely to be more efficient and more secure. So let's look at why we need to review old scripts on a semi-regular basis. Continue reading →
When looking for articles about PHP_SELF, it seems like most only refer to the dangers of using the variable with HTML forms. However, there are risks with using it in other parts of a website. For example, it may be tempting to use the variable within the href attribute for links. The problem is that those links become susceptible to Cross-Site Scripting (XSS). Let's take a closer look at the security vulnerability of PHP_SELF and a simple alternative to avoid the problem altogether. Continue reading →
Have you coded a simple if() construct that sets a variable to one of two values and thought to yourself "Five lines of code; there should be a better way?" Okay, maybe it's just me. Either way, let's take a look at the Ternary Operator [aka the short-hand if()]. Continue reading →
If you've visited a government website, there's a good chance that you've seen the "You are now leaving our website" message. The message, as you have probably guessed, is displayed when a visitor clicks a link leading to an external website. Now I don't plan to discuss the validity of this technique but the potential security risk if utilized incorrectly. Continue reading →