In my years as a web developer, there are many security issues with which I have had to become familiar. There are a lot of people out their with malicious intent. One of them could come across your site and expose a flaw that allows them access to crucial information, or the entire site itself. Don’t let this happen! Below are the 10 most common errors programmers make that could prove fatal.

1. SQL Injection

SQL injection is the act of maliciously adding SQL code that is then processed along with SQL code. This happens when the programmer neglects to properly check user input or query string variables before using it in SQL statements.

For example:

$id = $_GET['id'];
$result = mysql_query("SELECT * FROM tblComments WHERE fldCommentID = $id");

You may be asking yourself, “What’s wrong with the above code?” Plenty… just enough for any hacker to exploit it. What would happen if the visitor entered in the URL page.php?id=0 UNION SELECT * FROM tblAdminUsers ? Because the $id variable is not properly checked for injected code, it is added to the SQL query and processed. Here is what the resulting SQL query would look like:

SELECT * FROM tblComments WHERE fldCommentID = 0 UNION SELECT * FROM tblAdminUsers

It is a common enough table naming convention to give it a try, and the results would be damaging, exposing information you never intended to become public. Knowing that $id is supposed to be an integer, one approach to preventing injection is to get the integer value of the variable.

$id = intval($_GET['id']);

The above code would then only return a number, and therefore be safe.

There are many other methods of injection, however, so keep your eyes open for any possible vulnerabilities!

2. Cross-Site Scripting

Cross-site scripting, or XSS, is the act of inputting HTML or JavaScript code such that it is called and then run. Failing to properly check for HTML tags will allow this to happen. A good example is if you echo a variable taken from the query string. If the user altered the query string such that it included JavaScript code, the possibilities would be endless for hacking and other mischief.

page.php?something=<script>alert("hello");</script>

Visiting the above URL could potentially run the script, as it could be echoed in its entirety. Once that doorway is open, anything is then possible. Suppose the visitor is posting a comment and include JavaScript in his comment. Without proper checking, it would affect anybody viewing the page on which the comment then appears.

One possible solution would be to escape all tag brackets (< and >) with their HTML entity equivalent (< and >) or, if there is no reason for anybody to be using such characters, replace them with nothing at all.

3. GET Variable Manipulation

If a site has a form on it that sends to another page via GET method (like PayPal does), it quite possible to go through all the hard work of constructing a URL and altering a variable or two in the process. Consider the following code:

<p>Checkout below!</p>
<form action="checkout.php" method="get">
<input type="hidden" name="grandtotal" value="1234.00" />
<input type="submit" value="Checkout" />
</form>

If the visitor simply clicked on the Checkout button, she would then be taken to checkout.php?grandtotal=1234.00 where, presumable, the site would then deduct $1,234.00 from a stored credit card or account balance of some sort, and so forth. One method of simple hacking would involve examining the form code, and then manually entering in a new URL: checkout.php?grandtotal=5.00 where the visitor would then only have to pay $5.00. Such oversights could prove extremely costly.

To fix such a mistake, the grand total could be stored in a database or session variable, or passed via POST instead of GET; however, a better solution would be to double-check the grand total sent to checkout.php, comparing it to what it should be. It is well worth the extra effort and work to prevent losing thousands or even millions of dollar in revenue.

4. System Calls

The exec(), passthru() and system() functions all allow you to execte system commands from within your PHP code. Failing to check the commands processed by these functions can potentially result in hackers accessing private information by altering the input. Two function exist to assist in your fight against malicious destruction: escapeshellarg() and escapeshellcmd().

The escapeshellarg() function removes potentially harmful parts of user input by adding single quotes around the string and escaping any single quotes within. It would be used like so:

$command_fixed = escapeshellarg($command);

The escapeshellcmd() function is similar to the former, except that it only escapes characters that have a special meaning to the operating system at hand.

5. File Uploads

When uploading content to a site, PHP creates a file but does not automatically check the validity of the file name, the file type, or the size. A user could create his own form specifying some other file to upload instead.

The functions move_uploaded_file() and is_uploaded_file() are useful to assist in solving this problem, but it is best to check the $_FILES global array to ensure the file size and type are allowable for your application.

6. Includes

PHP allows you to include external files as if it were within the page itself, and is useful for code that is used extensively, class definitions, and for better organization of your site. However, if the included files are dependent upon user input, this could prove to be a big mistake if not properly checked. If the user visits index.php?p=article, let’s say our index.php page runs the following:

include_once($_GET['p'].'php');

Then a page called article.php would be called up and run. If, however, the user visits index.php?p=http://mysite.com/mycode, then the code would include http://mysite.com/mycode.php, which could potentially contain malicious and destructive code. The code from that page would be run as though it were running on the site’s own server, which is never a good idea.

Even if you restricted all included files to begin with something like “include-” (so that include-articles.php would be called up instead), any hacker could go through the trouble of registering a domain name beginning with “include-” and doing the same thing as before.

The only solution is to check the query string variable for illegal characters, such as slashes, colons, and even periods.

NOTE: Make sure all included files end in the proper extension, whether it’s .php for PHP or .aspx/.asp for ASP. Otherwise, if a visitor somehow finds out what files you are including, they could view a file such as lib.inc, as opposed to lib.inc.php, which would not expose the PHP code within.

7. Unrestricted Access and Permissions

If your site has an administration section, it is best to only allow certain IP addresses (ones you know you will be on when logging in). Another good idea an Apache .htaccess file with a username and password. This is a common mistake not native to PHP; it could happen to anybody.

On a similar note, never EVER back up PHP files by changing or adding an extension. This will most likely result in the PHP code being displayed in its raw format, exposed to the entire world, rather than parsed by the server. Servers usually only recognize certain extensions for certain languages (like .php for PHP, etc.) and any other extension wil display as an ASCII text file. NOT a good idea.

8. Session IDs

It is very easy for any hacker to hijack another user’s session, if they know that user’s session ID, and potentially see information that they really shouldn’t. While not completely avoidable, there are steps you can take to increase security.

One solution is to regenerate the session ID upon login using the session_regenerate_id() function. A hacker could try to set her own session ID prior to login; regenerating the session ID would prevent this action from doing anything significant.

9. Error Reporting

Before your site goes live, you should get rid of all display_errors() functions, as well as set the display_errors variable in your php.ini file to 0. Errors that are displayed could reveal crucial information about your database structure, connection string, and other credentials.

If you still want to be able to view errors, you can set the error_log variable in php.ini to 1 and check your PHP error log frequently for caught errors. You can also create your own code to handle errors.

10. Unvalidated Access to Protected Areas

I’ve been guilty of this once before. If your site has an administration or members-only area, each and every single page that should be available to members only, should be protected properly.

At the top of every protected page, make sure that their login credentials are validated, and that the session or cookie variable you use for logging in users is still flagged and active. Otherwise, users would be able to view certain information without ever logging in. Nobody should be able to view any protected pages by bypassing the login screen.

Conclusion

There are so many ways that people can hack into your code and your site. The above covers just a handful of mistakes you could make in your code that would expose vulnerabilities and crucial information. Be safe, be informed, and be cautious!

First off, what is AJAX? AJAX stands for Asynchronous JavaScript And XML. What does that mean? Basically, it means that you can call up other scripts and retrieve dynamically generated content (or perform simple actions) without ever leaving the current page. It’s how a large number of sites let you log in nowadays, and on what Yahoo! Mail Beta is based. It became popular through Google Suggest, where AJAX is the framework behind that little list that pops up below the search bar while you type in your query.

In Google Suggest, AJAX calls up an external script while you type, looking through a list of popular search queries, and return those that start with the text you are typing, providing suggestions for your search. It is quite useful in that it allows the visitor to see a search query that might return more (or better) results than the one the visitor had in mind.

AJAX isn’t a programming language in itself; it is simply a method of combining JavaScript and the dynamic programming language of your choice (ASP, PHP, etc.) to run another page’s server-side script. There are two parts to an AJAX script: the originating page, where the user is located; and the external page, containing the script that AJAX calls.

We’re going to create our own little page with a “name” text field. When somebody types text into that field, the page will call up an external script that returns the current time. (Sure, we can use plain JS to do this, but this is just a demonstration!)

To start off, we will create the HTML page with the form.

<html>
    <head>
        <title>AJAX Test Page</title>
    </head>
    <body>
        <form name="testform">
            Name: <input type="text" name="inputname" /><br />
            Time: <input type="text" name="currtime" />
        </form>
    </body>
</html>

Pretty basic, right? So far we have the text “Name”, followed by a text field in which the user can enter text. Nothing else happens at the moment, as you can see.

We need to call up our script when the user types in text. The best handler to use for this is the onkeyup event handler. Add the event handler and have it call up a function we will then create:

<input type="text" name="inputname" onkeyup="getTime()" />

Different browsers use different methods to create the XML-HTTP Request object we will need. Internet Explorer uses an ActiveX object, while most other browsers use a built-in JavaScript object. We will use try and catch statements to generate the correct object.

Let’s define the function that will return the XMLHttpRequest object. In the <head> section, add some JavaScript:

<script language="javascript" type="text/javascript">
    function getXHObject() {
        var xmlHttp = null;
        try {
            // For Firefox, Opera 8.0+, and Safari:
            xmlHttp = new XMLHttpRequest();
        } catch (e) {
            // Internet Explorer (below 7.0, and 7.0+):
            try {
                xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
            } catch (e) {
                xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
            }
        }
        return xmlHttp;
    }
</script>

The above script will attempt to create the built-in JS object, which will work for most non-IE browsers. If that doesn’t work, then it tries to call up one of the IE-supported methods. The first one works with versions of IE from 5.5 to under 7.0. The second one works with IE 7.0+. Finally, it returns the XML-HTTP object.

What if none of them work? In that case, the user’s browser is incredibly obsolete and does not support AJAX at all. Sure, this isn’t 100% compatible with all browsers, but so few people use ancient web browsers that it doesn’t matter much anyway. It comes to the point where they really should upgrade anyway, to be totally honest.

Next, we will create the getTime() function, which will call up the external script and retrieve the needed information.

var xmlHttp;    // This var must be global
function getTime() {
    // If the input mattered, we would check for blank or invalid input here
    // Create XML-HTTP object
    xmlHttp = getXHObject();
    // Check if null - browser is obselete
    if (xmlHttp == null) {
        alert('Your browser does not support AJAX!');
        return;
    }
    // The URL we will call - if input mattered, we would add a query string of some sort.
    var url = 'gettime.php';
    // Required AJAX code
    xmlHttp.onreadystatechange = stateChanged; // Specify function that will output info.
    xmlHttp.open('GET', url, true);            // Open the URL for sending...
    xmlHttp.send(null);                        // ...and send the request.
}

If the input affected the output (such as getting information based on user input), then the above getTime() function would have included the input as a parameter, and we would have checked the input to make sure it was valid. We would also have generated a URL with the input in the query string, such as getusername.php?id=123.

Next, we will define the stateChanged() function, which is called while the XML-HTTP request is working.

function stateChanged() {
    if (xmlHttp.readyState == 4) {
        // Output was received
        document.testform.currtime.value = xmlHttp.responseText;
    } else {
        // Nothing was received yet, but the XML-HTTP request is working.
        // We may want to generate a message that asks the user to wait.
    }
}

The above function will set the currtime text field’s value to the response text — the output received from the gettime.php external script.

Finally, we will set up the gettime.php page itself. Whatever we echo out will be the response text when called via AJAX. In a new file, we will use PHP to get the current time.

<?php
    echo date('g:i:s A');
    // Return something like "1:45:23 AM"
?>

And that’s it!

Basically, here’s how it works: The user types in a value into the “Name” field. After each keystroke, the getTime() function is called and creates an XML-HTTP object. This is then used to communicate silently with gettime.php, which outputs the time. This output triggers a Ready State of 4. The stateChanged() function is then used to take the output and put it into the “Time” text field.

Now you know how to utilize AJAX, and have just increased your web development arsenal. As stated above, you can have output that changes depending on the user input. For example, you could have a text field that receives a User ID as input, and the external script will take that ID, query a database, and return that user’s full name, or some other piece of information.

Furthermore, instead of using onkeyup as the event handler, you could have a button click (onclick) or a click away from the text field (onblur) act as the trigger.

On a side note, I promise that future posts will not be as long as this one. I just wanted to get an AJAX primer out of the way, kind of as our starting big bang.

Happy coding!

Welcome to the blog of Xylot Design!

The purpose of this blog is to share code snippets, functions, programming methods, design ideas, and other innovations with the world. We’ll be posting informational and extremely useful pieces of code. Just wait until we show you what we have in store for you!