Your site is vulnerable to this kind of attacks if you are accepting data from the user. Hackers can send malicious data to get into your web application and access its database.
Here are some tips to make it harder for hackers to penetrate your web applications.
1. Always filter, escape, format, sanitize, or validate any User Input
Only accept any user input if it matches the expected format. Always check if the submitted data contains unwanted characters (‘<>?/!@#$%^&*()_+=-;) based on your set of rules. If you are expecting a text (user name), then you should verify that the submitted data only contains valid characters (Aa-Zz).
You might want to explore how to use “regex” to filter user input. This is very useful if you want to protect your application against SQL injection and cross site scripting. Check this post about bypassing XSS filters.
2. Learn how to Use Token to Authenticate Your Web Forms
The purpose of using token is to prevent hackers from cloning your web forms and use it to do malicious activities. With tokens, you can always validate if the web form was originally generated from your server. This will help to protect your web app against cross site forgery (csrf).
Google these terms: Token Synchronizer, anti CSRF
3. Set the Names of Input Fields Dynamically
You will make it more difficult for the hacker if you are going to set the names of your form fields dynamically on every request.
Instead of naming your form fields like this name=”email”, change it to something else like this name=”klmadqw” that is always randomly generated.
Check the sample picture above. Everything has a dynamic part.
*The action URL has a dynamic part. The hackers will have to figure out first where to send the request.
*It has a dynamic hidden field with an encrypted value. This will increase the authenticity of the form.
*The field name for email and password were both dynamically generated. Again, it will be harder for hackers to create fake request if they don’t know what to send.
With this kind of web forms where everything changes per request, it will be more difficult to perform some automated attacks to penetrate your system.
4. Always Encrypt Sensitive User Information
Find a way to encrypt sensitive user information specially the login information. Don’t show login credentials. Use different techniques to save and retrieve user information from the database. Google these terms: Encryption tools, Best hashing method, Password hashing with salt
5. Learn How to Use prepared statements in your SQL/MySQL Code
This is the best way to handle your database. The purpose of using prepared statements is to avoid executing SQL scripts if you forgot to sanitize or escape user input. Any inserted scripts along with the user data will not be recognized.
6. Always escape any Data Before you print/echo/output it to the User’s Browser.
If you want to avoid cross site scripting, make sure that you scape properly any data from the database before you sent it to the user’s browser. The purpose of escaping is to avoid running unwanted java scripts code that is embedded along with the data.
7. Use https instead of http
With SSL connection, all the data/information being received/transmit from the user is encrypted. This is very important if you are getting credit card information or other sensitive data from the user.
Short Tips :
Never trust the user. Always check and validate user input. Don’t rely on client side validation. Always do your final validation on the sever side. Don’t expose database variables. Encrypt sensitive information in your database. Read more how to prevent SQL injection, Cross Site Forgery, and Cross Site Scripting.
Always be updated. Check this site (https://www.owasp.org/) to learn more about web application security.