ASPit - Totally ASP JSit - Totally JavaScript
Search PHPit

Use this textbox to search for articles on PHPit. Seperate keywords with a space.


PHP & Security: 3 Example Exploits

(Page 3 out of 3)

A CSRF (Cross-Site Request Forgery) attack is really unique and interesting attack, but very uncommon, probably because it's so hard to pull off as a hacker. A malicious website, run by the hacker, causes the user ("you") to load a URL (of a different website) in the background, which causes a change on the server. Because the URL is loaded in your browser, it has all the credentials you have. So if you were logged into the admin control panel of that website, and the URL pointed to a deleteall.php file, everything could be deleted.

Pretty much anything is possible using CSRF, and attackers could make your browser do anything using clever JavaScript. But it's extremely hard to get all the circumstances right, and it hardly ever happens. However, to see it in action, check demo 3. For this to work, you must use Google Search History and be logged into your account (see - even now it's already hard to pull off).

How do you protect against this exploit?
Protecting your scripts against CSRF attacks is extremely hard to do, and a really dedicated attacker will likely succeed anyway. But there are still steps you can take to make it harder.

First of all, make sure that any forms that change data (add/edit/delete) are POST only. GET requests should not be able to change anything.

Secondly, include a secret token with your forms, which also expire after a certain period of time. This will prevent almost any kind of CSRF attack, and is extremely different to counter.

Finally, don't worry too much about CSRF attacks. Although they are out there, it's likely you won't ever have to deal with it, and even so, it's an easy fix. If you're interested have a look on for more information about CSRF attacks.


In this article I've given you three examples of exploits that can be used to abuse your PHP scripts. These are a lot more exploits, and I'm willing to bet there are more than 100 ways to attack a PHP script. Security isn't easy, but it is a necessity. That's why it should be your top priority.

I hope I've shown you something new about security in PHP, and that your contact forms and view source scripts are now secure!

« Previous: Security Case #2 - View Source Scripts

One Response to “PHP & Security: 3 Example Exploits”

  1. timvw Says:

    I think you’re better off with to find out if the base path is really what you want it to be..

    Anyway, a lot of articles on php and security can be found at :)

Leave a Reply

About the author
Dennis Pallett is the main contributor to PHPit. He owns several websites, including ASPit and Chill2Music. He is currently still studying.
Article Index
  1. Introduction
  2. Security Case #2 - View Source Scripts
  3. Security Case #3 - CSRF Attacks
Bookmark Article
Download Article
Download this article as a PDF file