Updates from February, 2010 Toggle Comment Threads | Keyboard Shortcuts

  • saif 7:39 pm on February 16, 2010 Permalink | Reply
    Tags: CodeIgniter, PHP Security   

    Simple PHP Security in CodeIgniter 

    As web is now the part of our life and we can’t think our daily works without www. For both users and developers, security is a key question. I would like to share some simple security points in this post, which are common.

    • Cross Site Scripting(or XSS) is one of the most common application-layer web attacks. XSS commonly targets scripts embedded in a page which are executed on the client-side (in the user’s web browser) rather than on the server-side. An example of XSS may be as from user input. Suppose you put <textarea> on your site to get user input. But malicious user give input like this :<script type="text/javascript">
      window.locaton('http://example.com');
      </script>

      or it may be a unwanted alert message in javascript, which is not expected.So you definitely want to prevent this type of attack. I’m going to show the solution here in CodeIgniter. CodeIgniter has its built in input class.The example is below:

      $data= $this->input->post('UserInput');
      $data_xss = $this->input->xss_clean($data);

      At first, you get user input by post method and now just pass that value to the function. if you print the final value, you will see the javascript code will be replaced by others like [removed].Now you can pass the value to database query or do anything with that value.

    • Use htmlentities( ) for user input . It will convert all applicable characters to HTML entities like below.

      $str = “A ‘quote’ is <b>bold</b>”;
      // Outputs: A ‘quote’ is &lt;b&gt;bold&lt;/b&gt;
      echo htmlentities($str);

    Some useful links for best practices and security:

    Cheers and practice with best approach. 🙂

    Advertisements
     
  • saif 10:52 am on February 3, 2010 Permalink | Reply
    Tags: html, PHP, php in html   

    Execute PHP code within a html/htm file 

    When a web page is call, the server checks two thongs, whether it is a html/htm file or a php/asp(etc) file. The key point is file extension or file type.If it is a normal .html/.htm file, server sends it direct to the browser. And if it is a php/asp(etc), server than execute the appropriate code before sending it to the browser.

    Come to the point: Now you need to add some php code within your existing html file,then what is the process?
    There are two ways, what i ever know and want to share with you,
    1.Rename the html file to php file (the easiest way),
    2.Using .htaccess file to allow php within html file.

    if you follow the first one, it’s easy. but you may have incoming links or search engine ranking or if u change the file type, you need to change many code within your application.so in this situation, come to the second solution. 😉

    The way is:
    You need to add some command in your .htaccess file like below:
    For html file :
    AddType application/x-httpd-php .html

    Or for .htm
    AddType application/x-httpd-php .htm

    If you only plan on including the PHP on one page, it is better to setup this way:
    <Files myhome.html> AddType application/x-httpd-php .html </Files>

    Example:
    Now you can put php script like below in your html file :

    <p id='php_cont'><?php echo "hi all"; ?></p>

    N.B. Always be careful about your .htaccess file. if you have already one, just add the above command to the file, don’t replace all. and for beginner, the .htaccess file will be in your root folder, where your application or project exists (i.e. http://localhost/myapp)

    That’s all. For very beginners it may be helpful and i think this is a common question for them that  ‘How to use php in html file?’. cheers 😉

     
c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel
%d bloggers like this: