Security Basics for Web Developers

If you’re a web developer, there’s a good chance some of your code could be vulnerable. Unfortunately, if you haven’t had any security flaws, it is more than likely that you will run into some in the future. But most web developers don’t understand specific vulnerabilities in their code, generally SQL injections, as many do not know, or know very little SQL. We will be covering three different types of attacks, SQL injections, XSS (Cross-Site Scripting), and shell commands.

SQL Injections

SQL injections are one of the most common web attacks, and can range from a small inconvenience, to a massive security breach. However, all successful SQl injections should be taken seriously, as any seemingly small vulnerabilities have the possibility of becoming much more serious. The best way to stop SQL injections, is to not use SQL, but that is generally not an option. A good way to limit SQL injections for text: string mysqli::escape_string ( string $escapestr ). This escapes special characters in a string for use in an SQL statement. A way to protect integers would be intval(val_name). The intval() function is used to get the integer value of a variable.

Cross Site Scripting (XSS)

XSS is also an issue with a lot of websites. XSS attacks occur when an attacker uses a web application to send malicious code to a different end user. XSS attacks accounted for 84% of all security vulnerabilities documented by Symantec as of 2007. Ultimately, XSS is a type of injection very similar in nature to an SQL injection.

Like protecting against any code injection attack, the best defense is thorough and well-tested sanitization of any and all user input. For example: the filter_var() filters a variable with a specified filter, with  FILTER_SANITIZE_NUMBER_INT removing all characters except digits, plus and minus sign. See for more filter examples.

Protecting Shell Commands

Stopping shell commands, starting with: string escapeshellcmd ( string $command ), it escapes any characters in a string that might try to trick a shell command into executing commands. #&;`|*?~<>^()[]{}$\, \x0A and \xFF are all preceded by a backslash, while ‘ and “ are only escaped when not paired. In Windows, all and % are replaced by a space. This string should be used to escape any user input commands, before it’s handed off to exec() or system() functions, or the backtick operator. However, escapeshellcmd() does not block everything, it should be used on the whole command string, it still allows the attacker to pass arbitrary number of arguments.

To escape a single argument, you have: escapeshellarg(), which adds single quotes around a string and escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument. In Windows escapeshellarg() removes percent signs, replaces double quotes with spaces and adds double quotes around the string.

The best thing to remember, is there is no way to stop all web attacks, and there will always be new malicious attacks. The best way to prevent malicious attacks is to keep up with security news. If you feel like your network or site is vulnerable, hire a penetration tester. Feel free to do your own research, as this barely scratches the surface of defensive measures and attacks.