Welcome to Security and Phishing PHP Help

And now, welcome to a big, fat, ugly problem. The way your page is set up at this juncture, anyone with a bit of programming prowess could supply his own error message to your web page, simply by adding it to any URL that points to your application: .?error_message. That’s one way to employ a technique of Internet vandalism called phising.

Phishing is a technique by which someone receives what appears to be a trusted URL that in fact sends that user to an untrusted website. Suppose you get an email with a link to a site that looks like this:

It has lots of gibberish at the end, but you recognize the important part, the host name on phphelponline.com. Throughout this book, you’ve been seeing onphphelponline.com. as a domain name. (It’s the author’s domain, so this is a perfectly fine site to visit.) So, you go ahead and click the link, and you see something like Figure 8-10.



It’s an error page, just like the one you’ve been creating. And, look, it has a link on it. ” Might as well trust the link, too. It appears on a trusted page. You click the link …and you end up on a completely different site-probably one you didn’t expect (see Figure 8-11).



Now, the AMC page for Breaking Bag is hardly anything to lose sleep over …and let’s face it, breaking Bag really is a great show. Suppose, though, that same link took you to a site that asks for your credit card or that is full of illicit material that could get you fired when you accidentally land on that site at work, or even just a simple site that asks you to “reconfirm” your user name and password: these are potential disasters.

A clever and not-so-well-meaning coder could easily use the same CSS that’s used onphphelponline.com to ensure that site looks just like the initial error page, and most users would never know the difference.

The problem is that anyone can actually type a request parameter in a URL. Look back at the URL that started all of this:

Suddenly, a link to a non-trusted site is dropped right into your trusted page. That’s a big problem, and it can create massive headaches for your users.

Unfortunately, fixing this is going to take a lot of PHP wizardry that you don’t have quite yet. Fortunately, it’s coming …in about six chapters. For now, use this method of passing an error along via request parameters, but know that it’s not quite ready for prime-time. You’ll need to use something called sessions. which is detailed in Chapter 14, to avoid ever becoming part of a phishing scam.

Posted on January 11, 2016 in When Things Go Wrong (and They Will)

Share the Story

Back to Top