Good Web Programming Habits

Storing Passwords
Never store password as clear text or in a form that can be decrypted. On the
client side use a hash function in JavaScript to hash the password before it is
sent to the server. Think of the hash function as a one-way encryption. You can get
JavaScript MD5 hash functions at this site. On the server side use the crypt()
function to generate a one-way encryption.

$password = crypt('mypassword');
// store the encrypted password in a file and compare the
// encrypted version of the user input with this password
if (crypt($user_input, $password) == $password)
{
echo "Password verified";
}
Do Not Trust Input Data
Input data will be coming in through forms. You will be doing two checks on the
input data - at the client side using JavaScript and on the sever side using PHP.
Always have an upper limit on the amount of data that you are willing to accept.
This can be checked on the client side as well as on the server side. Impose what
characters are acceptable to you - like alphanumeric and check using regular
expressions.

$username = purge ($_POST['username']);

function purge ($str)

{
$purged_str = preg_replace("/\W/", "", $str);
return $purged_str;
}
Prevent SQL Injection
In a SQL Injection attack, a user sends data through a form that can run as a SQL
query on the database. Use PHP's built-in mysqli_real_escape_string() function as a
wrapper around any user input. This functions escapes characters in the string,
making it impossible to pass in special characters like single and double quotes
and have MySQL run them. This should take care of SQL Injections if used
judiciously.

$link = mysqli_connect ($host, $user, $password, $port);

$user = mysqli_real_escape_string ($link, $_POST['user']);
$pwd = mysqli_real_escape_string ($link, $_POST['pwd']);
Cross-site Scripting (XSS)
A cross site scripting attack allows a malicious user to enter information in a
form that then inserts client-side script on other users' machines. Alice has
joined an online dating service. In the section "Describe Your Ideal Date" she
posts her answer and a short script that is enclosed within the script tags. When
Bob visits her profile, the script does not show up on his browser but it runs on
Bob's machine. This script then sends an e-mail to Alice on Bob's real name and e-
mail address, and his session cookie.

If you are accepting user input such as comments to a guestbook that you are then
using for others to view be sure to strip anything wrapped in HTML tags. There are
several PHP functions that allow you to remove the tags - strip_tags() and
htmlentities().

$comments = strip_tags ($_POST['comments']);

// now store in file or database

// when displaying that comment on someone else's browser

 echo (htmlentities($comment));
Remote Form Posting
Anyone can visit a Web site, use File->Save As on his browser and make a local copy
of the form. He can then change the action parameter to point to the fully
qualified URL and make any changes to the form and click the Submit button. The
server will accept this form data as legitimate.

To handle remote form posting generate a token based on a random String and
timestamp and place that token into a Session variable and the form. Once the form
is submitted check to see if the two tokens match. The token is changed each time
the form is created so a would be hacker cannot make a permanent Web form to post
unwanted requests to your application.