After logging a user into your system you should invalidate the previous session identifier so an attacker doesn’t have the chance to steal an authenticated session id. In PHP the PHPSESSID cookie is our session identifier and it should be changed after logging in. Its as easy as running session_regenerate_id()
which will change your PHPSESSID to a different value
If you don’t change the session identifier an attacker may try to set the user’s PHPSESSID cookie to a value they know and then after the user authenticates, the attacker can now do any actions your application allows for authenticated users.
With many IBMi developers new to PHP, SQL and the web environment its important to cover a common mistake people make. The mistake is concatenating a value from $_REQUEST, $_GET or $_POST with their SQL statement string. This opens up the possibility for a SQL injection which allows someone to retrieve other data, bypass certain logic by making the statement always true, or worse (dropping a table, altering data, anything you can do in SQL). Below is how you can use a prepared SQL statement to safely execute SQL.
Below is an example of how to prevent cross-site request forgery in PHP. Basically you create a form token tied to the user’s session. When the form is submitted we verify that they have a token and that its the token we issued to the user. If it’s not we don’t process the form and echo out an error message.
So I tried deleting a file on the IFS and the only permission a user needs is *OBJEXIST. So make sure your not granting public or QTMHHTTP *OBJEXIST permission blindly and to lock down the $filename passed to unlink to make sure you don’t have someone deleting all your files.
To guard against UI-Redressing, Click Jacking or xss you can use the CSP http header which is compatible with newer browsers. To block iframing of your site in most browsers you can use x-frame-options. Below is a PHP script to white list the various content that could be used in an attack. This stopshttp://evilapi.example.com
To apply this in PHP you would just add cspheader.php to the beginning of any script. Alternatively you could modify your apache config (httpd.conf) restart the server and all pages served up would have this header. Thirdly you could use a .htaccess file in the root directory of your website and all files and files under child directories would use it. All depends on how much access you have to your server and site.