Download
1 / 11
110 likes | 189 Views
Learn about secure file upload methods, the importance of MIME types, using Fileinfo extension for file confirmation, preventing XSS attacks, and validation filters in PHP. Find out how to enhance security when handling file uploads.
E N D
Chapter 13 Security Methods Part 2
File Uploads • “one cannot be too mindful of security when it come to handling them” • “it’s easy for a malicious user to trick the browser into providing a false MIME type.” • “A more reliable way of confirming a file’s type is to use the Fileinfo extension.”
Magic Bytes • GIF – GIF89a or GIF87a • PDF - %PDF
upload_rtf.php • Script 13.3 on pages 415-6 • http://cscdb.nku.edu/csc301/frank/ch13/upload_rtf.php • ch13\upload_rtf.php • ch13\Assignment22.rtf • Why PHP Version 5.3.5?
xss.php • Script 13.4 on page 419 • http://cscdb.nku.edu/csc301/frank/ch13/xss.php • ch13\xss.php • Enter <script>alert(“Ha!”);</script>
XSS Attacks • It could create a pop-up window • Steal cookies • Redirect the browser to other sites.
htmlentities() • Turn problem characters into HTML entities (taken literally. No special meaning.) • & -> & • “ -> " • < -> < • > -> >
strip_tags() • Removes all HTML and PHP tags
calculator.php • Script 13.4 on pages 422-423 • http://cscdb.nku.edu/csc301/frank/ch13/calculator.php • ch13\calculator.php
filter_var() if(filter_var($var,FILTER_VALIDATE_INT) if(filter_var($var,FILTER_VALIDATE_INT, array(‘min_range’ => 1, ‘max_range’ => 120))
Validation Filters • FILTER_VALIDATE_EMAIL • FILTER_VALIDATE_FLOAT • FILTER_VALIDATE_INT • FILTER_VALIDATE_URL
