SQL Injection and XSS

I attended a security workshop at SIUE where I learned about SQL injection (including second-order SQL injection) and cross-site scripting. I also learned about PHP query parameterization, though I don’t know much about PHP aside from that. I was able to perform SQL injection on a test lab someone set up. However, I went beyond the scope of the workshop and put JavaScript into the database, so that whenever someone viewed certain pages, they would be greeted with an alert box. I think you could classify that as unescaped input, or insecure database deserialization. Whenever that data got fetched from the database, it would run JavaScript in the visitor’s browser instead of just displaying it as text.

Whenever you make a website, and you’re doing full stack instead of just frontend customization on a CMS or managed hosting, you need to have a web application firewall and also specifically test against common attacks, such as SQLi, XSS, and other vulnerabilities detailed by OWASP too. It’s good to be security-conscious when you’re developing software. Developers are your first line of defense.