COMMON WEB VULNERABILITIES KATIKA PHP – NA EXAMPLES
Web applications zinaweza kuwa vulnerable kwa attacks mbalimbali ikiwa best practices za security hazitazingatiwa.
Common vulnerabilities ni pamoja na:
SQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
File Upload Vulnerabilities
Insecure Password Storage
Session Hijacking / Session Fixation
⚙️ 2. Example 1: SQL Injection
<?php
// Vulnerable code
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = $conn->query($sql);
Problem: Attacker anaweza kuingiza input kama:
' OR '1'='1
Hii inaweza kuruhusu unauthorized login.
Solution: Use Prepared Statements na parameterized queries.
🧩 3. Example 2: XSS (Cross-Site Scripting)
<?php
// Display user comment
echo "<p>" . $_POST['comment'] . "</p>";
Problem: User anaweza inject script:
<script>alert('XSS')</script>
Script it executed in browser ya other users.
Solution: Use htmlspecialchars():
echo "<p>" . htmlspecialchars($_POST['comment'], ENT_QUOTES, 'UTF-8') . "</p>";
🛡️ 4. Example 3: CSRF
<form action="delete_account.php" method="POST">
<input type="hidden" name="user_id" value="123">
<button type="submit">Delete Account</button>
</form>
Problem: Attackers wanaweza force user ku-submit request isiyotarajiwa.
Solution: Use CSRF tokens kwa forms:
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
⚙️ 5. Example 4: Insecure Password Storage
// Vulnerable code
$password = $_POST['password'];
$sql = "INSERT INTO users (username,password) VALUES ('$username','$password')";
Problem: Passwords zinahifadhiwa plain text.
Solution: Hash passwords using password_hash():
$hashed_password = password_hash($_POST['password'], PASSWORD_DEFAULT);
🔑 6. Best Practices
Always sanitize & validate input – prevent SQLi, XSS.
Use prepared statements – secure database queries.
Escape output – htmlspecialchars() for HTML.
Protect forms with CSRF tokens.
Hash passwords – never store plain text.
Secure file uploads – validate type, size, and rename files.
Use HTTPS – protect data in transit.
✅ 7. Hitimisho
Awareness of vulnerabilities ni step ya kwanza kwenye secure PHP development.
Combine prepared statements, input sanitization, CSRF tokens, password hashing, na HTTPS kwa maximum protection.
Regularly review OWASP Top 10 vulnerabilities kwa updated practices.
🔗 Tembelea:
Kwa mafunzo zaidi ya PHP, web security, na prevention ya vulnerabilities.
🚀 Unahitaji mfumo au website ya biashara?
Chagua huduma hapa chini kisha mteja bofya moja kwa moja kwenda kwenye ukurasa wa huduma au kuwasiliana nasi kwa WhatsApp.