Chapter 13

1. Chapter 13 Security Methods Part 2

2. File Uploads • “one cannot be too mindful of security when it come to handling them” • “it’s easy for a malicious user to trick the browser into providing a false MIME type.” • “A more reliable way of confirming a file’s type is to use the Fileinfo extension.”

3. Magic Bytes • GIF – GIF89a or GIF87a • PDF - %PDF

4. upload_rtf.php • Script 13.3 on pages 415-6 • http://cscdb.nku.edu/csc301/frank/ch13/upload_rtf.php • ch13\upload_rtf.php • ch13\Assignment22.rtf • Why PHP Version 5.3.5?

5. xss.php • Script 13.4 on page 419 • http://cscdb.nku.edu/csc301/frank/ch13/xss.php • ch13\xss.php • Enter <script>alert(“Ha!”);</script>

6. XSS Attacks • It could create a pop-up window • Steal cookies • Redirect the browser to other sites.

7. htmlentities() • Turn problem characters into HTML entities (taken literally. No special meaning.) • & -> &amp; • “ -> &quot; • < -> &lt; • > -> &gt;

8. strip_tags() • Removes all HTML and PHP tags

9. calculator.php • Script 13.4 on pages 422-423 • http://cscdb.nku.edu/csc301/frank/ch13/calculator.php • ch13\calculator.php

10. filter_var() if(filter_var($var,FILTER_VALIDATE_INT) if(filter_var($var,FILTER_VALIDATE_INT, array(‘min_range’ => 1, ‘max_range’ => 120))

11. Validation Filters • FILTER_VALIDATE_EMAIL • FILTER_VALIDATE_FLOAT • FILTER_VALIDATE_INT • FILTER_VALIDATE_URL