Avoiding hackers injecting redirects/code into php
- Thread starter dazsly
- Start date
The latest exploit doing the rounds is where files are injected with an iframe, typically by "acquiring" the user's FTP username and password. Be careful about any insecure connections you use (FTP is sent plain text) as well as thoroughly sweeping your computer for malware and viruses on a regular basis.
That link or its contents should be stickied here imo.
You can use SFTP/SCP if your hosting provider allows (if you're not sure, shoot them an email).
Nice one thanks Rob! and everyone else.
I knew about the real escape, my host provider has protection built in.
Daz
There's sql attacks which everyone knows about, SQL Injection. You should use parameterized queries for this or at least sql input escaping.
There is also injecting html, and javascript into to the database, and when page with that data gets recalled the html/javascript gets put onto that page.
Parameterized queries, and sql input escaping will not catch this, as far there concerned there legit data. The best way with this is html output escaping rather than what uninformed people say "input escaping". Let the data get inserted into the database, when you recall the data escape the html characters, don't get rid of them. This allows you to post html as text rather than a part of the page, if you ever need to post a html tutorial/howto even if you don't it's still good practice.
Say </body> will get converted to the escaped </body> version. That will display "</body>" without being included as part of the html source. This will happen on recall of the data from the database.
If you ever want display the html data on a non website, it won't look messed up as it would with html input escaping.
Non php languages, have been doing this mostly automatically for years. Still a lot php people still don't get it right.
There's also cross site scripting, when you include a link to another site holding javascript script, usually inserted as a injection. Html Output escaping gets rid of method to include a javascript link on the page.
There is also injecting html, and javascript into to the database, and when page with that data gets recalled the html/javascript gets put onto that page.
Parameterized queries, and sql input escaping will not catch this, as far there concerned there legit data. The best way with this is html output escaping rather than what uninformed people say "input escaping". Let the data get inserted into the database, when you recall the data escape the html characters, don't get rid of them. This allows you to post html as text rather than a part of the page, if you ever need to post a html tutorial/howto even if you don't it's still good practice.
Say </body> will get converted to the escaped </body> version. That will display "</body>" without being included as part of the html source. This will happen on recall of the data from the database.
If you ever want display the html data on a non website, it won't look messed up as it would with html input escaping.
Non php languages, have been doing this mostly automatically for years. Still a lot php people still don't get it right.
There's also cross site scripting, when you include a link to another site holding javascript script, usually inserted as a injection. Html Output escaping gets rid of method to include a javascript link on the page.
Last edited: