Home > PHP, Research, Security > 5 practical tips to secure your web applications

5 practical tips to secure your web applications

October 25th, 2007

security.jpgKeep these practical tips in mind when developing code for your web applications. Examples shown are written in PHP and can be implemented in any language.

  1. Prevent SQL Injection attacks
  2. Provide additional security with backend validations
  3. Validate Combo Box and List Box data
  4. Convert HTML code into its entity form
  5. Capture errors and show custom error page

1. Prevent SQL Injection attacks
SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web applications.

Login Example:

This example assumes that the two fields to accept username and password are ‘usr’ and ‘pwd’ respectively. You would then use these variables inside a SQL query to validate if the user exists or not. Lets look how. Following is a PHP code (this example can be converted to any web scripting language)


$usr = $_POST[‘usr’]; // getting the usr variable from $_POST array
$pwd = $_POST[‘pwd’]; // getting the pwd variable from $_POST array

$sql = “SELECT id FROM users WHERE username = ‘” . $usr . “‘ AND password = ‘” . $pwd . “‘”;

$result = mysql_query($sql);

if(mysql_num_rows($result) == 0) {
//we did not find any records, redirecting user to login page
header(“Location: login.php”);

//if we reach here, this means that all is ok

… rest of the script


The above example can be hacked if the user enters the password as nothing’ OR 1 = 1

The SQL query thus formed will be:

SELECT id FROM users WHERE usr = ‘anything’ AND password = ‘nothing’ OR 1 = 1

When this query executes, it will fetch all records from the user table.


You should escape each variable before you feed it into the SQL query using , like below:

$sql = “SELECT id FROM users WHERE username = ‘” . addslashes($usr) . “‘ AND password = ‘” . addslashes($pwd) . “‘”;

addslashes() – adds escapes special characters including a single quote and double quote. Therefore the query above after using addslashes() will look like this:

SELECT id FROM users WHERE usr = ‘anything’ AND password = ‘nothing\’ OR 1 = 1

In the above example, look at the single quote that has been escaped i.e. ‘nothing\’. This happened because the additional single quote was passed by the user as data and hence got escaped before being sent to SQL. If you observe, this causes a SQL error.

2. Provide additional security with backend validations

Using JS validation is good as it saves user time and a round trip to the server if the data that user has entered is wrong. In addition to providing the front end JS validation, you should also provide for validations at your script level. For all you know the user disabled JS on his/her page and entered bad data.

The rule is, always validate data at the backend.

3. Validate Combo Box and List Box data
Are you asking why is this needed? Sounds stupid right? Why would you want to validate data that is coming off a combo box or a list box? Reason is very simple… you could receive bad data.

Lets take an example of a form with list of countries in a drop box. I could easily crack that script by writing a program that will post data to the form posing as a browser. If I could post data programmatically, I can also pass bad data for a drop box which is not part of the initial list.

4. Convert HTML code into its entity form
You should always encode content provided by users before display. A hacker could easily provide a JavaScript as content and allow other users to display it. If you have not converted HTML code to its entity form before you display it on the browser.

PHP Code:


echo htmlentities($data); //this will convert < to < and > to $gt, etc.


5. Capture errors and show custom error page
The reason why you should do this is because of two reasons:

a. It looks professional and the user is not lost with the dirty error string on screen.

b. Users don’t get to see sensitive data that could otherwise be exposed to the users. Just imagine if your database connection fails to connect, you would probably get a message stating that could not connect to the database with username and password. This one single error could give a lot of information to an attacker.

Categories: PHP, Research, Security Tags:
  1. October 25th, 2007 at 23:58 | #1

    Great ideas. Do you have any idea about how to bridge users from one database to another? I am trying to create a sql script that will bridge the users from one database to another. Thanks

  2. admin
    October 26th, 2007 at 09:05 | #2

    Hi Choudhruy,

    Thank you for the appreciation…

    I guess you are trying to either integrate two open source systems or your system with a open source system.

    This is what I do… you will have to extend the registration script on the main system that will create the user on the other system as well. For this you will have to understand the database architecture of the other sub-system and execute the DB INSERT statement.

    Let me know if you need help with specific open source systems.


Comments are closed.