Knowledgebase
How can I secure my webscripts?
Posted by Sean Syed on 20 February 2013 06:29 PM

Scripts in languages such as PHP, Perl, Python, ASP and ASP.NET can present security problems. However, you can take a number of relatively simple steps to improve the security of the scripts you run.

The examples below are geared towards PHP. However, the principles apply to all web scripting.

 

You are responsible for what happens using your web space. We may suspend your account if an insecure script allows third-parties to misuse our servers.

 

Form to mail scripts

Form to mail scripts allow people to fill out a contact, or similar, form on your website. Whatever they enter is then emailed to you.

They are regularly used by spammers, who hijack your script to send unsolicited email. Through a few simple checks, you can ensure that your form to mail script is only used by your website and sends to the email address you choose.

Suggestion: You can prevent most illegitimate use of your form to mail scripts by checking the referrer string of the page calling your script, before processing it.

 
SQL injections

For example:

If you dynamically create SQL statements, using parameters passed from a web form or parameters in a URL, you might use something similar to the following pseudo-code:

SQL = "SELECT * FROM users WHERE name = '" + userName + "';"

 

You might expect the userName variable to be just that, a username.However, if the username comes from a script input, such as a form field, a malicious user could type the following:

a'; DROP TABLE users;

When the script is executed, the SQL statement would become:

SELECT * FROM users WHERE name = 'a'; DROP TABLE users;

 

When the SQL statement is run, it would drop the user table from the database. A mailicious user could do almost anything that your database user's permissions allow.

You should:

  • use your scripting language's escaping functionality

  • use SQL variables, rather than concatenating scripting variables to create the SQL statement

  • limit the database user's permissions to those needed by your application. 

(0 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).