![Close [x]](http://dw1.s81c.com/i/c.gif){kind=small}
Before you start
This tutorial is for jQuery Mobile developers interested in securing their applications. It assumes that the reader has basic knowledge related to web application development using PHP, MySQL, JavaScript, XHTML, and CSS. Also, this tutorial is in no way comprehensive; it is intended as an introduction to web application security. For further reading on the issues covered here, plus other relevant topics, check Resources.
With the rise of smart phones and similar devices, web application security has been broadened to include mobile applications. Because of the constraints imposed by the interfaces of many such devices, developers sometimes work with the flawed assumption that client-side input validation is sufficient for protection against attacks. However, requests sent by mobile applications can be manipulated in the same way as traditional web applications. Because of this vulnerability, the client cannot be trusted. With sensitive data sometimes stored on devices and the servers that they use, the protection of users from black-hat hackers is critical. This tutorial shows how several types of vulnerabilities occur and some of the countermeasures that can be put in place to mitigate attackers trying to exploit them. The following types of vulnerabilities are covered:
- Cross-site scripting
- Cross-site request forgery
- Broken access control
- SQL injection
- File inclusion
- OS command injection
- Scripting language injection
- Arbitrary file creation
All vulnerabilities and countermeasures are demonstrated using a sample application built with jQuery Mobile, PHP, and MySQL. (See Download for a .zip file with the sample code.)
You will need the following tools to complete this tutorial:
- Web server — You can use any web server with PHP support. Many of the exploits throughout this tutorial are Windows specific, but they can be adapted for other operating systems. Suggested web servers are Apache or the IBM HTTPServer.
- PHP — Because some attacks described do not work against the latest version, PHP 5.3.1 was used. Such incompatibilities are noted throughout the tutorial.
- MySQL — This tutorial uses MySQL, an open source database. Version 5.1.41 was used for this tutorial, but other versions should work fine.
- Web debugging proxy — Because a way of manipulating HTTP requests is necessary, a web debugging proxy is very helpful. Throughout this tutorial, Fiddler v2.3.2.4 is used, but any other web debugger proxy that allows for modification of requests works.
- jQuery Mobile — The front end of the sample application built in this tutorial uses jQuery Mobile 1.0 Alpha 3.
See Resources for helpful links.
Table of contents
Next steps from IBM
With the no-charge DB2 Express-C, Zend Core PHP, and Java you can develop advanced Web 2.0 applications quickly that matter.
- Try: Download a free trial version of DB2 Express-C, which includes Zend Core PHP and pureXML technology that is ideally suited for managing both XML and relational data and powering a new breed of SOA and Web 2.0 solutions.
- Article: This IBM Redbook shows how to port PHP apps from MySQL to DB2, and includes code samples for creating Zend Core PHP applications.
- Tutorial: In this Mastering Facebook app development tutorial series, you will use Java and PHP in parallel to build a Facebook interface for an online stock trading J2EE application using the Spring framework.
- Buy: DB2 9 for Linux, UNIX and Windows
