Web Programming Step by Step, 2nd Edition

Chapter 15: Web Security

Except where otherwise noted, the contents of this document are Copyright 2012 Marty Stepp, Jessica Miller, and Victoria Kirst. All rights reserved. Any redistribution, reproduction, transmission, or storage of part or all of the contents in any form is prohibited without the author's expressed written permission.

Valid XHTML 1.1 Valid CSS!

15.1: Security Principles

Our current view of security

group hug

The real world

orcs (dorks?)

Attackers' goals


Why would an attacker target my site?

Tools that attackers use


Assume that the attacker knows about web dev and has the same tools you have:

Some kinds of attacks


Information leakage

information leakage

when the attacker can look at data, files, etc. that he/she should not be allowed to see

15.2: Cross-Site Scripting (XSS)

HTML injection

a flaw where a user is able to inject arbitrary HTML content into your page


Injecting HTML content


Cross-site scripting (XSS)

a flaw where a user is able to inject and execute arbitrary JavaScript code in your page

8ball.php?question=<script type='text/javascript'>alert('pwned');</script>

Another XSS example


Securing against HTML injection / XSS

htmlspecialchars returns an HTML-escaped version of a string
$text = "<p>hi 2 u & me</p>";
$text = htmlspecialchars($text);   # "&lt;p&gt;hi 2 u &amp; me&lt;/p&gt;"

15.3: Validating Input Data

What is form validation?

A real form that uses validation


Client vs. server-side validation

Validation can be performed:

An example form to be validated

<form action="http://foo.com/foo.php" method="get">
		City:  <input name="city" /> <br />
		State: <input name="state" size="2" maxlength="2" /> <br />
		ZIP:   <input name="zip" size="5" maxlength="5" /> <br />
		<input type="submit" />

Basic server-side validation code

$city  = $_REQUEST["city"];
$state = $_REQUEST["state"];
$zip   = $_REQUEST["zip"];
if (!$city || strlen($state) != 2 || strlen($zip) != 5) {
	print "Error, invalid city/state/zip submitted.";

Regular expressions


Regular expressions in PHP (PDF)

function description
preg_match(regex, string) returns TRUE if string matches regex
preg_replace(regex, replacement, string) returns a new string with all substrings that match regex replaced by replacement
preg_split(regex, string) returns an array of strings from given string broken apart using given regex as delimiter (like explode but more powerful)

PHP form validation w/ regexes

$state = $_REQUEST["state"];
if (!preg_match("/^[A-Z]{2}$/", $state)) {
	print "Error, invalid state submitted.";

Basic regular expressions


Wildcards: .

Special characters: |, (), \

Quantifiers: *, +, ?

More quantifiers: {min,max}

Anchors: ^ and $

Character sets: []

Character ranges: [start-end]

Escape sequences

Regular expression PHP example

# replace vowels with stars
$str = "the quick    brown        fox";

$str = preg_replace("/[aeiou]/", "*", $str);
                         # "th* q**ck    br*wn        f*x"

# break apart into words
$words = preg_split("/[ ]+/", $str);
                         # ("th*", "q**ck", "br*wn", "f*x")

# capitalize words that had 2+ consecutive vowels
for ($i = 0; $i < count($words); $i++) {
	if (preg_match("/\\*{2,}/", $words[$i])) {
		$words[$i] = strtoupper($words[$i]);
}                        # ("th*", "Q**CK", "br*wn", "f*x")

Regular expressions in JavaScript

Replacing text with regular expressions

15.4: SQL Injection

SQL injection


a flaw where the user is able to inject arbitrary SQL into your query

A SQL injection attack

Too true...

bobby tables xkcd comic

Securing against SQL injection

quote returns a SQL-escaped version of a string
$username = $db->quote($_POST["username"]);
$password = $db->quote($_POST["password"]);
$query = "SELECT name, ssn, dob FROM users
WHERE username = $username AND password = $password";

15.5: Session-Based Attacks

Man-in-the-middle attack

man in the middle

when the attacker listens on your network and reads and/or modifies your data



Session hijacking


when the attacker gets a hold of your session ID and masquerades as you