Lesson 17

Writing Secure Code

One of the most important things you can learn about PHP and MySQL is how to prevent your code from being an easy target to those who are malicious. There is no way to make your code completely hack-proof, but you can go a long way to securing it by following certain practices. This is not an exhaustive lesson in all the ways that a hacker can get into your site, but it is the equivalent of keeping your car safe by removing your keys and locking your doors.

You might think that the chance of your site being hacked is slight, but remember that hackers can find your site and its vulnerabilities the same way that Google scans your site for search indexes.

In the first section of this lesson you learn what is meant by three common threats: cross-site scripting, cross-site request forgery, and SQL injection. You learn proper coding habits in the second part, which mitigate those and other threats.

Understanding Common Threats

Cross-site scripting (XSS), a type of code injection, embeds malicious code inside innocent code that is later output; for instance, when a user enters a search term it is usually displayed on the screen with the results. If, instead of an innocent word, the data entered were JavaScript, that code would be run when the search term was output to the screen. Hackers can install programs that track your keystrokes and track where you go.

Cross-site request forgeries (CSRF, XSRF) work by allowing an attacker to hijack a user's session ...

Get PHP and MySQL® 24-Hour Trainer now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.