preventing sqli and xss by ravi rajput in owasp meet ahmedabad
-
Upload
ravi-rajput -
Category
Technology
-
view
65 -
download
1
Transcript of preventing sqli and xss by ravi rajput in owasp meet ahmedabad
About me
hacktosecure.com
• Student of Information Technology• A person with BIG dreams.• Co-Founder of “hacktosecure.com”• Who is not from one of
“THE CEHs” :P :P
Who helped me in this
hacktosecure.com
• A special thanks to PaulOS.• Love to Namu who always push me to do
something.
SQL Injection Defence
hacktosecure.com
• Use Prepared statements.• Use PDO(PHP data objects) library. Use
PDO in try/catch.
Normal QUERY
hacktosecure.com
$q =$_GET[“q”];
$con = mysql_connect(‘localhost’,’ravi’,’passwd’);
$sql = “SELECT * FROM user WHERE id=‘”.$q.”’”;
$result = mysql_query($sql);
PDO QUERY
hacktosecure.com
$STH=$DTH->prepare(“select name,age from usersWhere userid=:userid”);
$STH->execute(array(‘:userid’,$UserID));
Pretty Easy way
hacktosecure.com
• Use add_slashes()for eg. <?php $str = addslashes('What does “hacking" mean?');
echo($str); ?>
• Result : What does \“hacking\" mean?• It adds \ before “ ‘ \
?>
Usage
hacktosecure.com
“select * FROM user WHERE ID=
“”.add_slashes(“$q”).””);
Google about .mysql_real_escape_string
Defending XSS
hacktosecure.com
• Nope• Use htmlentities() with
ENT_QUOTES• For eg, • Var name = ‘<?php
htmlentities($_GET[‘username’],ENT_QUOTES);?>’;
Libraries for preventing XSS
hacktosecure.com
• Php AntiXss• xss_clean.php• Html Purifier• XSS protector• XSS HTML filter
References
hacktosecure.com
• hacktosecure.com/patch-php-security-loopholes• www.w3schools.com/php/
func_string_addslashes.asp• www.w3schools.com/php/
func_string_htmlspecialchars.asp• http://code.tutsplus.com/tutorials/why-you-
should-be-using-phps-pdo-for-database-access--net-12059
• http://resources.infosecinstitute.com/how-to-prevent-cross-site-scripting-attacks/
• Analyze the code of mutillidae in security level 5.