You are reading the article Php Security Function: Strip_Tags, Filter_Var, Md5 And Sha1 updated in October 2023 on the website Nhunghuounewzealand.com. We hope that the information we have shared is helpful to you. If you find the content interesting and meaningful, please share it with your friends and continue to follow and support us for the latest updates. Suggested November 2023 Php Security Function: Strip_Tags, Filter_Var, Md5 And Sha1
Potential security threatsThey are basically two groups of people that can attack your system
Hackers – with the intent to gain access to unauthorized data or disrupt the application
Users – they may innocently enter wrong parameters in forms which can have negative effects on a website or web application.
The following are the kinds of attacks that we need to look out for.
SQL Injection – This type of attack appends harmful code to SQL statements.
This is done using either user input forms or URLs that use variables.
insert a condition that will always be true
delete data from a table
update data in a table
This type of attack is usually used to gain unauthorized access to an application.
Retrieve sensitive information such as cookies data
Redirect the user to a different URL.
Other threats can include – PHP code injection, Shell Injection, Email Injection, Script Source Code Disclosure etc.
PHP Application Security Best PracticesLet’s now look at some of the PHP Security best practices that we must consider when developing our applications.
PHP strip_tags
The strip_tags functions removes HTML, JavaScript or PHP tags from a string.
This function is useful when we have to protect our application against attacks such as cross site scripting.
<?php $user_input = "Your site rocks"; echo $user_input;<?php echo $user_input;
Let’s now secure our application from such attacks using strip_tags function.
<?php echo strip_tags($user_input);PHP filter_var function
The filter_var function is used to validate and sanitize data.
Validation checks if the data is of the right type. A numeric validation check on a string returns a false result.
Sanitization is removing illegal characters from a string.
Check this link for the complete reference filter_var
It uses the filter_var function and FILTER_SANITIZE_STRIPPED constant to strip tags.
<?php echo filter_var($user_input, FILTER_SANITIZE_STRIPPED);Output:
alert('Your site sucks!');mysqli_real_escape_string function This function is used to protect an application against SQL injection.
Let’s suppose that we have the following SQL statement for validating the user id and password.
<?php SELECT uid,pwd,role FROM users WHERE uid = 'admin' AND password = 'pass';A malicious user can enter the following code in the user id text box. ‘ OR 1 = 1 — And 1234 in the password text box Let’s code the authentication module
<?php $uid = "' OR 1 = 1 -- "; $pwd = "1234"; $sql = "SELECT uid,pwd,role FROM users WHERE uid = '$uid' AND password = '$pwd';"; echo $sql;The end result will be
SELECT uid,pwd,role FROM users WHERE uid = '' OR 1 = 1 -- ' AND password = '1234';HERE,
“SELECT * FROM users WHERE user_id = ”” tests for an empty user id
“’ OR 1 = 1 “ is a condition that will always be true
The above query will return all the users Let’s now use mysqli_real_escape_string function to secure our login module.
<?php $uid = mysqli_real_escape_string("' OR 1 = 1 -- "); $pwd = mysqli_real_escape_string("1234"); $sql = "SELECT uid,pwd,role FROM users WHERE uid = '$uid' AND password = '$pwd';"; echo $sql;The above code will output
SELECT uid,pwd,role FROM users WHERE uid = '' OR 1 = 1 -- ' AND password = '1234'; PHP Md5 and PHP sha1Md5 is the acronym for Message Digest 5 and sha1 is the acronym for Secure Hash Algorithm 1.
They are both used to encrypt strings.
Once a string has been encrypted, it is tedious to decrypt it.
Md5 and sha1 are very useful when storing passwords in the database.
The code below shows the implementation of md5 and sha1
<?php echo "MD5 Hash: " . md5("password"); echo "SHA1 Hash: " . sha1("password");Assuming you have saved the file chúng tôi in phptuts folder, browse to the URL
As you can see from the above hashes, if an attacker gained access to your database, they still wouldn’t know the passwords for them to login.
Summary
Security refers to measures put in place to protect an application from accidental and malicious attacks.
filter_var function validates and php sanitize input data
mysqli_real_escape_string is used to sanitize SQL statement. It removes malicious characters from the statements
both MD5 and SHA1 are used to encrypt password.
You're reading Php Security Function: Strip_Tags, Filter_Var, Md5 And Sha1
Update the detailed information about Php Security Function: Strip_Tags, Filter_Var, Md5 And Sha1 on the Nhunghuounewzealand.com website. We hope the article's content will meet your needs, and we will regularly update the information to provide you with the fastest and most accurate information. Have a great day!