Each website that the user inputs is a potential target for the attacker.
You think your app is too small or too new that is not reported, but the attackers use tools to scan the web for normal security errors.
If your site is online and has a login form, search box, or database, it is already being tested.
But here’s the good news: You do not need to be a cybercular expert to protect your app. You just need to understand how these attacks work and write a safe code.
Let’s go through the ten most common ways to break the hackers in web apps – and with clear examples, how to fix everyone.
Here’s what we will cover is:
SQL injection
Hackers exploit this when your app sends them directly sending the raw SQL command to your database. Here is an unprecedented example in PHP:
$sql = "SELECT * FROM users WHERE username="$username" AND password = '$password'";
If a user enters it as a username:
' OR 1=1 --
Question becomes:
SELECT * FROM users WHERE username = '' OR 1=1
It loots all users – because 1=1 Always true. This means that anyone can log in without knowing about the password.
This is called String buildingWhere the user’s input is inserted directly into the SQL command. It treats the input as a part of the code, not just data.
Correct: Use ready statements
Separate the code from the code made from the code. The SQL command is explained once, and user values ​​are approved separately – so they cannot break the logic.
The same queries using PDO with PDO is:
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->execute(($username, $password));
This makes your code safe from SQL injection – even if the user tries to injure malicious input.
Cross Site Scripping (XSS)
We say your site shows comments. If someone posts it:
<script>alert('Gotcha!');script>
And your site shows it, as every visitor sees a popup. This is a basic XSS attack. A real attacker can do much worse than that – such as stealing sessions cookies or redirecting users to fake login pages.
Correct: Save what you show
Escape means to change the special characters < And > In harmless text.
In pHP:
echo htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8');
In JavaScript, you can use libraries like Dum Pori:
const safeHTML = DOMPurify.sanitize(userInput);
Never trust the user’s input – especially when put it in your HTML.
Cross -site application forged (CSRF)
The CSRF has planned to make an unwanted application from the login user’s browser-without their knowledge.
How it works here: A user logs into your app and then visits a malicious site. This site contains the code:
<img src=" />
Since the user is already logged in, so his browser sends the request – with cookies and all. If your app does not test the CSRF, it assumes that the user wants to delete his account.
Correct: Use CSRF tokens
These are unique, secret values ​​that include forms:
<input type="hidden" name="csrf_token" value="abc123">
Your server has to check this token at each request. If it is missing or false, reject the request. Most framework (such as Lariuel or Jiango) automatically do this.
Broken or weak verification
If your login system is very easy, this is an easy target.
Normal error: Passwords store in simple text:
file_put_contents('users.txt', "$username:$password\n");
If this file is leaked, all user accounts are exposed.
Fix: Hash Passwords
$hash = password_hash($password, PASSWORD_DEFAULT);
And to check them later:
if (password_verify($password, $storedHash)) {
}
Other critical reforms:
Rate range login attempts: 5 Block or delay after failed attempts.
Add multi -factor verification (MFA): Send a time code via email or app.
Use strong password policies: Long passwords are required with a mixture of characters.
Each step brings force attacks tightening and protects consumer accounts.
Unsafe direct objection references (Idor)
Suppose your site has this URL:
/invoice?id=123
A hacker tries:
/invoice?id=124
Suddenly, they can see someone else’s invoice.
Correct: Confirm property
$stmt = $pdo->prepare("SELECT * FROM invoices WHERE id = ? AND user_id = ?");
$stmt->execute(($invoiceId, $loggedInUserId));
Login Always confirm the user that they own the data they are trying to access.
Security Invalid Configure
This refers to using unsafe default settings or forgetting to disable things that should not be common.
Examples include:
Leaving error messages in production (
display_errors = 1JesExposing Admin panels or debugs tools
Use of default passwords or outdated software
These are not bugs in your code – but they are equally dangerous.
Fix: Disable detailed error reports in production:
ini_set('display_errors', 0);
And save Admin Tolls with passwords, IP permits, or move them behind the VPN or private path.
Exposure to sensitive data
If you send user data to HTTP instead of HTTPS, anyone on the network can read it – such as passwords or credit card numbers.
Example of non -secure code:
file_put_contents('logs.txt', "User: $username, Password: $password");
If this log file has been exposed, all passwords are leaked.
Fixes:
Use HTTPS everywhere. Likes tools Let’s encrych Make it free and easy.
Never store the password in logs.
Encrypt sensitive data, especially if it is personally identified information (PII) or financial data.
Using old libraries
Most apps use external libraries. If anyone has a known danger, the attackers can exploit it – even if your code is perfect.
To save yourself:
- Regularly update dependence. in node.js:
npm audit fix
composer update
- Replace restless libraries with safe alternatives.
Broken access control
Some apps just try to control access by hiding the button on the UI.
Example: No user has been shown the “Delete Post” button – but they manually send a request like:
POST /delete-post?id=5
If the backbone does not examine the permission, the application is.
Fix: Implement Access Control at Basad
if ($user->role !== 'admin') {
http_response_code(403);
exit;
}
Do not rely on the front end to prevent operations. The server has to check every request and it has been confirmed that the user is allowed to take action.
No logging or supervision
If something is suspicious and you do not have the log, you will never know.
For example log in (in Lariol):
Log::info('User login', ('user_id' => $user->id));
Set alert for suspicious behavior – such as 100 failed login in 10 minutes. Use monitoring tools such as Monitor, Datodog, or Elk Stack to see your app in real time.
If you don’t track what is happening, you can’t stop it when matters go wrong.
Conclusion
Hackers do not need modern tools. Most just find for easy wins – uncontrollable form, simple text passwords, old libraries, or exposed admin areas.
If you follow the basics in this guide, you will stop 90 % of these attacks.
Today you don’t need to fix everything. Start with an item. User escape from input. Use https. Add CSRF protection. Each fix makes your app a little safer.
Want to get more information? Get strong basics in aggressive security Security Starter Chorus.