How can I secure my webscripts?
Posted by on 24 August 2012 06:57 PM
|
Scripts in languages such as PHP, Perl, Python, ASP and ASP.NET can present security problems. However, you can take a number of relatively simple steps to improve the security of the scripts you run.
The examples below are geared towards PHP. However, the principles apply to all web scripting.
|
|
|
You are responsible for what happens using your web space. We may suspend your account if an insecure script allows third-parties to misuse our servers.
|
|
Form to mail scripts
Form to mail scripts allow people to fill out a contact, or similar, form on your website. Whatever they enter is then emailed to you.
They are regularly used by spammers, who hijack your script to send unsolicited email. Through a few simple checks, you can ensure that your form to mail script is only used by your website and sends to the email address you choose.
Suggestion: You can prevent most illegitimate use of your form to mail scripts by checking the referrer string of the page calling your script, before processing it.
|
|
SQL injections |
For example:
If you dynamically create SQL statements, using parameters passed from a web form or parameters in a URL, you might use something similar to the following pseudo-code:
SQL = "SELECT * FROM users WHERE name = '" + userName + "';"
You might expect the userName variable to be just that, a username.However, if the username comes from a script input, such as a form field, a malicious user could type the following:
a'; DROP TABLE users;
When the script is executed, the SQL statement would become:
SELECT * FROM users WHERE name = 'a'; DROP TABLE users;
When the SQL statement is run, it would drop the user table from the database. A mailicious user could do almost anything that your database user's permissions allow.
You should:
-
use your scripting language's escaping functionality
-
use SQL variables, rather than concatenating scripting variables to create the SQL statement
-
limit the database user's permissions to those needed by your application.
|
|
(0 vote(s))
Helpful Not helpful
|