Security - nogsantos/study-zce-php-certification-codes GitHub Wiki
- Server-side filtering is important for security,while client-side validation is important for usability.
- Spoofed Forms A common method used by attackers is a spoofed form submission. There are various ways to spoof forms, the easiest of which is to simply copy a target form and execute it from a different location. Spoofing a form makes it possible for an attacker to remove all client-side restrictions imposed upon the form in order to submit any and all manner of data to your application
- Cross-site scripting (XSS) is one of the most common and best known kinds of attacks. The simplicity of this attack and the number of vulnerable applications in existence make it very attractive to malicious users. An XSS attack exploits the user's trust in the application and is usually an effort to steal user information, such as cookies and other personally identifiable data. All applications that display input are at risk.
- A cross-site request forgery (CSRF) is an attack that attempts to cause a victim to unknowingly send arbitrary HTTP requests, usually to URLs requiring privileged access and using the existing session of the victim to determine access. The HTTP request then causes the victim to execute a particular action based on his or her level of privilege, such as making a purchase or modifying or removing information. Whereas an XSS attack exploits the user’s trust in an application, a forged request exploits an application’s trust in a user, since the request appears to be legitimate and it is difficult for the application to determine whether the user intended for it to take place. While proper escaping of output will prevent your application from being used as the vehicle for a CSRF attack, it will not prevent your application from receiving forged requests. Thus, your application needs the ability to determine whether the request was intentional and legitimate or possibly forged and malicious.
Ctype Functions
- ctype_alnum — Check for alphanumeric character(s)
- ctype_alpha — Check for alphabetic character(s)
- ctype_cntrl — Check for control character(s)
- ctype_digit — Check for numeric character(s)
- ctype_graph — Check for any printable character(s) except space
- ctype_lower — Check for lowercase character(s)
- ctype_print — Check for printable character(s)
- ctype_punct — Check for any printable character which is not whitespace or an alphanumeric character
- ctype_space — Check for whitespace character(s)
- ctype_upper — Check for uppercase character(s)
- ctype_xdigit — Check for character(s) representing a hexadecimal digit
string htmlspecialchars ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = 'UTF-8' [, bool $double_encode = true ]]] )
Convert special characters to HTML entities
Esta função é útil na prevenção de textos fornecidos pelo usuário contendo marcação HTML, tal como um quadro de mensgens ou guest book. O segundo argumento opcional, quote_style, conta à função o que fazer com os caracteres aspas simples e dupla. O modo padrão, ENT_COMPAT, é o modo mais compatível com a atualidade, apenas transforma a aspas-dupla e deixa a aspas-simples como está. Se ENT_QUOTES está definida, ambas transformadas e se ENT_NOQUOTES está definida nenhuma das duas são modificadas.
The translations performed are:
- '&' (ampersand) becomes
'&'
- '"' (double quote) becomes
'"'
when ENT_NOQUOTES is not set. - "'" (single quote) becomes
'''
(or ') only when ENT_QUOTES is set. - '<' (less than) becomes
'<'
- '>' (greater than) becomes
'>'
string htmlentities ( string $string [, int $quote_style [, string $charset [, bool $double_encode ]]] )
Esta função é idêntica a htmlspecialchars()
em toda forma, exceto que com htmlentities()
, todos caracteres que tem entidade HTML equivalente são convertidos para estas entidades.
Se você está querendo decodificar (o inverso), você pode usar html_entity_decode().
The token method involves the use of a randomly generated token that is stored in the user’s session when the user accesses the form page and is also placed in a hidden field on the form. The processing script checks the token value from the posted form against the value in the user’s session. If it matches, then the request is valid. If not, then it is suspect and the script should not process the input and, instead, should display an error to the user. The following snippet from the aforementioned form illustrates the use of the token method:
<?php
session_start();
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
?>
<form action="checkout.php" method="POST">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
<!-- Remainder of form -->
</form>
The processing script that handles this form (checkout.php) can then check for the token:
<?php
if (isset($_SESSION['token']) && isset($_POST['token']) && $_POST['token'] == $_SESSION['token']){
// Token is valid, continue processing form data
}
?>