Web Programming Step by Step, 2nd Edition

Lecture 27: Web Security

Reading: 15.1 - 15.5

Except where otherwise noted, the contents of this document are Copyright 2012 Marty Stepp, Jessica Miller, and Victoria Kirst. All rights reserved. Any redistribution, reproduction, transmission, or storage of part or all of the contents in any form is prohibited without the author's expressed written permission.

Valid HTML5 Valid CSS

Our current view of security

group hug

The real world

orcs (dorks?)

Attackers' goals


Why would an attacker target my site?

Tools that attackers use


Assume that the attacker knows about web dev and has the same tools you have:

Some kinds of attacks


Information leakage

information leakage

when the attacker can look at data, files, etc. that he/she should not be allowed to see

Man-in-the-middle attack

man in the middle

when the attacker listens on your network and reads and/or modifies your data



Session hijacking


when the attacker gets a hold of your session ID and masquerades as you

HTML injection

a flaw where a user is able to inject arbitrary HTML content into your page


Injecting HTML content


Cross-site scripting (XSS)

a flaw where a user is able to inject and execute arbitrary JavaScript code in your page

8ball.php?question=<script type='text/javascript'>alert('pwned');</script>

Another XSS example


Securing against HTML injection / XSS

htmlspecialchars returns an HTML-escaped version of a string
$text = "<p>hi 2 u & me</p>";
$text = htmlspecialchars($text);   # "&lt;p&gt;hi 2 u &amp; me&lt;/p&gt;"

SQL injection


a flaw where the user is able to inject arbitrary SQL into your query

A SQL injection attack

Too true...

bobby tables xkcd comic

Securing against SQL injection

quote returns a SQL-escaped version of a string
$username = $db->quote($_POST["username"]);
$password = $db->quote($_POST["password"]);
$query = "SELECT name, ssn, dob FROM users
WHERE username = $username AND password = $password";

Practice problem: Hack turnin page

Breaking the turnin page