Common Attacks and Fixes
1. SQL Injection
What is it? Malicious SQL queries injected via user input.
Example Attack:
// Vulnerable PHP code
$query = "SELECT * FROM users WHERE username = '$_POST['user']'";
Fix:
// Use prepared statements (PHP/PDO)
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
$stmt->execute([$_POST['user']]);
2. Cross-Site Scripting (XSS)
What is it? Injecting malicious scripts into web pages.
Example Attack:
Fix:
// Sanitize output (PHP)
echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');
Prevention Tips
- Use ORM libraries (e.g., Sequelize, Hibernate) for database queries.
- Implement Content Security Policy (CSP) headers:
Content-Security-Policy: default-src 'self';
- Regularly scan for vulnerabilities with tools like OWASP ZAP.
Note: Always validate and sanitize user input on both client and server sides.