Top 4 PHP Mistakes
In the process of developing sukip, we have done a lot of mistakes and learned from them. Here is a list of some of the most common mistakes PHP developers make :
1. Not Escaping Entities
ALL untrusted input (especially user input from forms) must be sanitized before it being displayed.
echo $_GET[’username’];
Can for instance output:
script> /*snooping cookie or changing admin password script*// script/>
It is an apparent security risk not to sanitize untrusted data before output. Besides you might end up with pages looking very messy if you do not thread user input the right way.
How to fix it:
Basically you need to convert < , >, ‘ and ” to their proper entities (< , > ‘ , and “) . The functions htmlspecialchars() and htmlentities() do the work.
So here is the right way:
echo htmlspecialchars($_GET[’username’], ENT_QUOTES);
Uncountable scripts carries this problem on the internet.
2. Not Escaping SQL input
When querying your database always make sure untrusted data gets escaped else your application will be vulnerable to SQL-injections and unreliable. Some coders think that they have covered this problem by having magic_quotes on in their php.ini. The problem is that untrusted input can come from other sources than $_GET, $_POST and $_COOKIE (crawling other websites or using input from the database). And what happens if magic_quotes suddenly is set to OFF?
How to fix it:
I recommend setting magic_quotes to off in php.ini or by using .htaccess and then using mysql_real_escape_string() on all variables used in SQL-expressions.
$sql = “UPDATE users SET
name=’.mysql_real_escape_string($name).’
WHERE id=’.mysql_real_escape_string ($id).’”;
mysql_query($sql);
?>
3. No or little use of Object Orientation
Too many systems I have seen and been working with have this problem. They simply do not have any object orientation. Yes object and classes for a beginner are abstract but if for instance you build a shop system and you are not being object orientated, then the source code will become unmaintainable with time and size. PHP has been supporting basic object orientation since PHP4 and since PHP5 a lot more and a lot better, so we must be using it.
4. Double escaping quotes
Have you ever seen a web page display a text with \’ or \” , it usually happens when a script is made for magic_quotes off (php.ini) and is deployed on a site with magic_quotes on. First PHP runs addslashes() on all GET, POST and COOKIE data then afterwards one more time when the data is being stored.
Original text:
It’s a string
After magic quotes on script start:
It\’s a string
It\\’s a string
HTML output:
It\’s a string
Another scenario that makes this occur is when a user tries to sign up and inputs invalid data, the user then get presented to the same form, this time with the input escaped, the second time the user posts with the valid data the input is escaped another time.
movies naked beachgirls beautiful movie2004 of movies besttit movies hardcore big freexxx movies black girlblack shemales free moviesmovie teen blackblonde lesbian moviesbriana movies blazemovies brutal sex
signature loan 15000loans 18 wheelerriot mp3 3daysgracemp3 infinity 303madness 3030 mp3ringtones 90 millionloan 1924 external german autentication3e mp3 oeil Map
3am matchbox mp3band mp3 adamp3 3po soulmp3 2000 codecmp3 mujawwad abdullah basfarmp3 mjg 8ball cruzintamil mp3 12bforever mp3 tho ab Map
0 credit cardscredit processing alpena cardexpress credit card americancash loan bad advance credit loanadvance loan credit cash badloan credit alabama bad caralberta bad car loan creditadvance cash credit loan bad unsecured Map
r p car a loanaa loan companybad loan accept personal creditbad personal loans accept creditcollege consolidation loan accessstudent loan group accesssignature having loan without bank accountaccount credit loan check statement Map
edwardsville credit 9961 655 618adp corporation creditabim credits cmesba 2330232 industrial lender loancredit adp corporation1099 c creditthree volume 14 credits issue 411vmc 1099 credit Map
black porn big buttsbig plumper porn blackbig black porn womenbig porn black wemenbig porn black womenjapanese boob big pornboob movies big pornbig porn boobed amatuer Map
equity ct loan hartford west homemortgage home loans county westchestera plus what loan iswhat loan acs issecured loan is whatworld loan pay day widefederal forgiveness ford loan william dsloan wilson county wendy school Map
virgin analgirls cumpet sexsmall girlgirl amateurdisney slutsmanga xxxpregnant nudes Map
Asian Schamlippennackt asiatische Schöne MädchenHentai-Comics ChobitsWwe wwe nackt Diven melina,geschwollenen Kitzler ErweiterteHotwife interrassisch kostenlos ClipsKlitoris Lesben cumhentai Raven Map