Today most the business is running through web and even most of the attacks are also done through web hackers only.
Application Attacks vary and evolve rapidly to exploit newly created or identified vulnerabilities as do the reasons and consequences of attacks. Other Attacks: – Cookie Attacks – Database Interaction – Hidden Fields
The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have been authenticated
Joomla! attempts to protect againt CSRF by inserting a random string called a token into each POST form and each GET query string that is able to modify something in the Joomla! system.
For Integers: $int = JRequest::getInt( $name, $default ); For Floats (decimals): $float = JRequest::getFloat( $name, $default ); For boolean values (true/false): $bool = JRequest::getBool( $name, $default ); For "words" (only allows alpha characters, and the _ character) $word = JRequest::getWord( $name, $default ); For "commands" (Allows alpha characters, numeric characters, . - and _ ) $cmd = JRequest::getCMD( $name, $default ); For NON-HTML text (all HTML will be stripped) $string = JRequest::getString( $name, $default );
Conclusion: Validate all user input before you use it in a SQL query. Apply $string = $database->getEscaped( $string ); $string = $db->getEscaped( $string ); to all strings that will be used in SQL queries, and apply $value = intval( $value ); $value = intval( $value ); to all integer numbers you use in SQL queries. Again, for more information on SQL injections, please take a look at the listed resources, especially .
The files of your component will usually be called by Joomla!. Joomla! is a wrapper around your software, it provides many usefull features like user authentication and so on. Since developers usually test their components only through Joomla!, they tend to forget about the possibility of calling files directly.