Possible security risk?

  • Kurthead+1
  • Graduate
  • Graduate
  • Kurthead+1
  • Posts: 131

Post 3+ Months Ago

Whenever I have a form that inputs to a php page. I've noticed that it is possible to put code into inputs and if the syntax is correct the php page will run it properly from the input. Is there any way to prevent this? Or anything I should be doing? IS it a security risk? I know that an infinite loop on my hosting site, or any other type of memory overload causes my account to be suspended. And I know that I could at least do that from the input. What are you supposed to do about this?
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6252
  • Loc: Seattle, WA

Post 3+ Months Ago

What you're describing is a form of code injection. It's a common attack technique targeting websites that don't properly sanitize and validate input.

You absolutely should be taking this into account when developing any software, not just web sites.
  • Kurthead+1
  • Graduate
  • Graduate
  • Kurthead+1
  • Posts: 131

Post 3+ Months Ago

Thanks very much. I'll research this and study how to prevent it.
  • demonmaestro
  • Gold Member
  • Gold Member
  • User avatar
  • Posts: 679
  • Loc: Conroe, Texas

Post 3+ Months Ago

Not sure as to what programming language you are using but here is some good info http://www.w3schools.com/php/func_mysql_real_escape_string.asp The http://www.w3schools.com is a very good website also for learning.
  • SpooF
  • ٩๏̯͡๏۶
  • Bronze Member
  • User avatar
  • Posts: 3422
  • Loc: Richland, WA

Post 3+ Months Ago

I'd actually highly recommend not going to w3schools, there are far better resources on the net than it. w3schools is usually outdated and plain out simply wrong in a lot of places.

If you wan to learn about a php function use the documentation! That's what it's there for.

As you can see from the documentation. The mysql extension is being deprecated.
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6252
  • Loc: Seattle, WA

Post 3+ Months Ago

For that matter, I'd highly recommend not using PHP if you're serious (or want to become serious) about web development. It's not the early 2000's anymore.
  • Kurthead+1
  • Graduate
  • Graduate
  • Kurthead+1
  • Posts: 131

Post 3+ Months Ago

What do you use instead of PHP or for backend?
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6252
  • Loc: Seattle, WA

Post 3+ Months Ago

As much as I don't like to admit it, Javascript-as-a-backend is making big advances in the web app industry. This is partially due to the rising popularity of HTML5+Javascript as a complete app solution (not just on the web; see Windows/WinPhone store apps), but also because of the wide support for the language.

For "backend" scripting, if you want to use a scripting language, I'd highly recommend Python or Ruby for early work until you find that they might not scale. Scala is another good choice if you enjoy working with the JVM.

I've expressed my gripes with PHP here in the past, so I won't reiterate them now, but basically PHP is an old, inconsistent, poorly-designed language and lacks many of the features modern languages and developers have come to take advantage of.
  • demonmaestro
  • Gold Member
  • Gold Member
  • User avatar
  • Posts: 679
  • Loc: Conroe, Texas

Post 3+ Months Ago

So it sounds like he is saying jump on the microsoft band waggon with .NET (.asp)...

Thats what it sounds like to me...
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6252
  • Loc: Seattle, WA

Post 3+ Months Ago

Where did I mention .NET?
  • Kurthead+1
  • Graduate
  • Graduate
  • Kurthead+1
  • Posts: 131

Post 3+ Months Ago

Through all of my training, JavaScript has been my all-time favorite language. I didn't know if it could handle the back-end or not. Are there any kind of installations I would need to make it run on the back-end (The only thing I've heard of before is Node.js)? Can it take care of databases, file handling, user logging/registrations, payments for products? Or is it not quite ready to do all of that? Do you have a language you specifically suggest that can handle everything? Or do I need to use a combination of the languages you mentioned for the back-end?

I have been very annoyed with PHP at times.
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6252
  • Loc: Seattle, WA

Post 3+ Months Ago

(Off-topic: if you really like Javascript, and you like playing around with new languages just for fun, you should check out Io. It's a prototypical language like javascript and you can do all sorts of cool metaprogramming in it)

I've been out of the web development scene for a few years now, so I can't make any realistic, experience-based suggestions. Node.js is certainly one of the most popular options out there, but there are plenty of others. I'd recommend reading up on it as I don't actually know what it is/isn't capable of.

Another point; services such as Amazon AWS and Microsoft Azure are now immensely popular and are further driving the nail into the coffin for the whole PHP+MySQL solution, as they allow developers to focus on user experience rather than storage details.
  • SpooF
  • ٩๏̯͡๏۶
  • Bronze Member
  • User avatar
  • Posts: 3422
  • Loc: Richland, WA

Post 3+ Months Ago

To add to this list of language to play with, Go (http://golang.org) is another language that is rising in popularity right now.
  • CarneysLawyers
  • Born
  • Born
  • CarneysLawyers
  • Posts: 4

Post 3+ Months Ago

The dynamic query generation is much better today than it was just a few years ago. Code-First has come a long way, especially with the introduction of Database Migrations.

Post Information

  • Total Posts in this topic: 14 posts
  • Users browsing this forum: Liamw411 and 126 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.