We get a lot of questions about security–cross-site scripting attacks, DDoSs, SQL injection, how to deal with those, what those are– really kind of a big question. I could probably spend an entire book on this. I will do my best to answer it in this article.
Security is a really big concept. When I was originally doing the notes for this article, I really wanted to spend some time talking about a couple of major vulnerabilities, but I was getting the sense that it wouldn't fit in very well with the level of knowledge most of my readers have.
The first is XXS or cross-site scripting. This is when you accept data from a user, and you're displaying it in your webpage, and you're not escaping it. Escaping data is essential for avoiding XXS attacks.
Say you had taken some data from a user and then you return it to the user in a text area. In that text area will be whatever the user typed in. Perhaps you're editing a blog entry, and this is the old blog entry. Imagine that text area has some HTML code, particularly the script tag, how would you protect your site? It is possible to actually put code in that text area that might fetch all of your cookies or some other important information. A hacker could intercept that information and use it to hack your site. If I were to view that page in a browser, my information could be sent to the hacker.
The hacker could then look at that request, put my cookies in his browser, and then start browsing the site as me. This is the basis for cross-site scripting. If you escape your HTML, you don't have to worry about it.
There are cases, however, where you don't want to escape the HTML. For example, in a blog. If you trust your users and you want them to be able to enter HTML– for example, if they want to put in links and that sort of thing, then you've got to think carefully. Do I trust the user?
On Reddit, they use a piece of technology called markdown, which is a simplified language good for allowing users to leave comments and that sort of thing.
It's got syntax for leaving links and images, but not just random HTML. What they did was allowed links and images and then they broke all other HTML. You defeat XXS attacks by escaping the HTML.
SQL Injection is another similar type of attack. Assume you have a piece of SQL–select * from link–where id = %s. This is an example of why you shouldn't use %s in SQL statements. You need to carefully consider what might happen with SQL statements added to your forms.
To defeat this issue, you want to make sure you're always using a wrapper around your SQL. There are many libraries available to help developers with this issue. I strongly recommend the use of one of those libraries as they have thought of most everything. In order to scale properly, you need control over your SQL code.
Be sure to pay attention to how you set up the action value on your forms. You can use proper technique to avoid SQL injections when you pay attention to how you code your forms.
You need to include some secret that is only included on new page, so that when some guy at badguy.com submits a form directly to this URL, they don't have the secret, and the secret would have to come along with the rest of the data. CSRF–it's a really fun attack. You can find it on just about every website online.
By taking the time to examine your code and being mindful of both XXS and SQL injection attacks, you can set up processes to avoid problems in the future. There is no excuse for being hacked by one of these two attacks other than laziness. When writing code, be sure to be diligent. Avoid these types of attacks.