[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"academy-blogs-en-1-1-all-writing-secure-code-preventing-attacks-in-web-apps-all--*":3,"academy-blog-translations-o6rcvfhmp3abtue":80},{"data":4,"page":79,"perPage":79,"totalItems":79,"totalPages":79},[5],{"alt":6,"collectionId":7,"collectionName":8,"content":9,"cover_image":10,"cover_image_path":11,"created":12,"created_by":13,"expand":14,"id":74,"keywords":75,"locale":49,"published_at":76,"scheduled_at":13,"school_blog":71,"short_description":77,"status":69,"title":6,"updated":78,"updated_by":13,"slug":72,"views":73},"Writing Secure Code: Techniques to Prevent Attacks in Web Apps","sclblg987654321","school_blog_translations","\u003Cp>Developing web applications in today's era comes with various challenges. One of the most important aspects that web developers need to consider is security, as web apps are often prime targets for hacker attacks. Writing secure code is therefore essential to prevent unauthorized access to users' data or systems.\u003C\u002Fp>\u003Cp>In this article, we will discuss techniques for preventing attacks on web applications that every programmer should know, in order to enhance the security of the web app you are developing.\u003C\u002Fp>\u003Cp> \u003C\u002Fp>\u003Cfigure class=\"image image_resized\" style=\"width:75%;\">\u003Cimg style=\"aspect-ratio:6000\u002F6000;\" src=\"https:\u002F\u002Fimagedelivery.net\u002Fg5Z0xlCQah-oO61sLqaEUA\u002F49_2_11zon_80f5d3f942\u002Ftwsme\" alt=\"Preventing SQL Injection\" width=\"6000\" height=\"6000\">\u003C\u002Ffigure>\u003Cp> \u003C\u002Fp>\u003Ch2>1. Preventing SQL Injection\u003C\u002Fh2>\u003Cp>SQL Injection is a type of attack where hackers insert malicious SQL commands into the input forms of web applications, such as username and password fields. When hackers are able to do this, they can bypass the validation system and gain access to the database, potentially accessing sensitive data such as user information, order lists, or even destroying the entire database.\u003C\u002Fp>\u003Ch3>How to Prevent SQL Injection\u003C\u002Fh3>\u003Ch4>1. Use Prepared Statements or Parameterized Queries\u003C\u002Fh4>\u003Cp>Using this method is the safest way to prevent SQL Injection because it clearly separates SQL commands from the data input by the user.\u003C\u002Fp>\u003Cp>With Prepared Statements, the data entered by the user cannot insert SQL commands. The system generates SQL commands with placeholders waiting to be filled in, preventing malicious SQL injections.\u003C\u002Fp>\u003Ch4>2. Use ORM (Object-Relational Mapping)\u003C\u002Fh4>\u003Cp>ORM tools like Django ORM or SQLAlchemy make database interactions safer by automatically generating SQL commands and preventing SQL Injection attacks.\u003C\u002Fp>\u003Ch4>3. Avoid Using Unsafe SQL Commands\u003C\u002Fh4>\u003Cp>Avoid using SQL commands that concatenate user input directly, such as using \u003Cspan style=\"background-color:hsl(137,79%,57%);\">CONCAT()\u003C\u002Fspan> or \u003Cspan style=\"background-color:hsl(137,79%,57%);\">EXECUTE()\u003C\u002Fspan> with user input. This can create vulnerabilities that hackers can exploit.\u003C\u002Fp>\u003Ch3>Example of Preventing SQL Injection with Parameterized Queries (in Python)\u003C\u002Fh3>\u003Cpre>\u003Ccode class=\"language-plaintext\">python\n\n# Using a parameterized query with SQL\ncursor.execute(\"SELECT * FROM users WHERE username = %s AND password = %s\", (username, password))\u003C\u002Fcode>\u003C\u002Fpre>\u003Cp>In this example, %s is used as a placeholder for user input (like the username and password) and does not include user data directly in the SQL statement. This ensures that malicious SQL commands cannot be injected.\u003C\u002Fp>\u003Cp> \u003C\u002Fp>\u003Cfigure class=\"image image_resized\" style=\"width:75%;\">\u003Cimg style=\"aspect-ratio:6000\u002F6000;\" src=\"https:\u002F\u002Fimagedelivery.net\u002Fg5Z0xlCQah-oO61sLqaEUA\u002F51_4_11zon_f5e20ebdec\u002Ftwsme\" alt=\"Data Encryption\" width=\"6000\" height=\"6000\">\u003C\u002Ffigure>\u003Cp> \u003C\u002Fp>\u003Ch2>2. Data Encryption\u003C\u002Fh2>\u003Cp>Data encryption is crucial in securing sensitive information in web applications, especially when transmitting data like passwords, credit card details, or other personal information. Protecting this data from being intercepted or accessed by malicious parties is essential for ensuring security.\u003C\u002Fp>\u003Ch3>How to Prevent Data Interception\u003C\u002Fh3>\u003Ch4>1. Use HTTPS (SSL\u002FTLS)\u003C\u002Fh4>\u003Cp>Using the HTTPS protocol for transmitting data between the user and the server encrypts the data sent over the internet, making it impossible for attackers to intercept or modify it during transmission. SSL\u002FTLS (Secure Sockets Layer\u002FTransport Layer Security) ensures secure, encrypted communication.\u003C\u002Fp>\u003Cp>Using HTTPS assures users that their data is being transmitted securely, reducing the risk of attacks from hackers trying to intercept sensitive information.\u003C\u002Fp>\u003Ch4>2. Encrypt Data in the Database\u003C\u002Fh4>\u003Cp>Even though data is encrypted during transmission, the data stored in the database also requires protection. Techniques like using \u003Cspan style=\"background-color:hsl(137,79%,57%);\">bcrypt\u003C\u002Fspan> , \u003Cspan style=\"background-color:hsl(137,79%,57%);\">argon2\u003C\u002Fspan> , or \u003Cspan style=\"background-color:hsl(137,79%,57%);\">AES (Advanced Encryption Standard)\u003C\u002Fspan> help secure data in the database, making it more difficult for unauthorized individuals to access it.\u003C\u002Fp>\u003Ch4>3. Use Hashing for Passwords\u003C\u002Fh4>\u003Cp>Passwords should never be stored in the database in a readable format. Instead, hashing is used to convert the password into an irreversible string. Additionally, using Salts (adding a unique value to the password before hashing) enhances security further.\u003C\u002Fp>\u003Ch3>Example of Hashing Passwords with bcrypt\u003C\u002Fh3>\u003Cpre>\u003Ccode class=\"language-plaintext\">python\n\nfrom bcrypt import hashpw, gensalt\n\n# Hash the password\nhashed_password = hashpw(password.encode('utf-8'), gensalt())\u003C\u002Fcode>\u003C\u002Fpre>\u003Cp>In this example, we're using \u003Cspan style=\"background-color:hsl(137,79%,57%);\">bcrypt\u003C\u002Fspan> to hash the user's password by applying \u003Cspan style=\"background-color:hsl(137,79%,57%);\">gensalt()\u003C\u002Fspan> to add a salt value, making the hashed password more difficult to guess. This helps protect against Rainbow Table Attacks , where hackers try to reverse-engineer hashed passwords from a precomputed table.\u003C\u002Fp>\u003Cp> \u003C\u002Fp>\u003Cfigure class=\"image image_resized\" style=\"width:75%;\">\u003Cimg style=\"aspect-ratio:6000\u002F6000;\" src=\"https:\u002F\u002Fimagedelivery.net\u002Fg5Z0xlCQah-oO61sLqaEUA\u002F53_6_11zon_e33936482b\u002Ftwsme\" alt=\"Cross-Site Scripting (XSS) Protection\" width=\"6000\" height=\"6000\">\u003C\u002Ffigure>\u003Cp> \u003C\u002Fp>\u003Ch2>3. Cross-Site Scripting (XSS) Protection\u003C\u002Fh2>\u003Cp>XSS attacks occur when an attacker injects malicious JavaScript code into your web application. This can result in the theft of sensitive information such as login credentials or personal data when users click on a link or open a page containing these harmful scripts.\u003C\u002Fp>\u003Cp>XSS vulnerabilities arise when the web application fails to properly filter or sanitize user input, allowing an attacker to inject malicious code and perform an attack.\u003C\u002Fp>\u003Ch3>Methods to Prevent XSS\u003C\u002Fh3>\u003Ch4>1. Use Content Security Policy (CSP)\u003C\u002Fh4>\u003Cp>CSP is a security feature that controls which sources of scripts a web application can load. It prevents scripts from being loaded from untrusted sources, thus reducing the chances of an attacker injecting unwanted JavaScript code.\u003C\u002Fp>\u003Ch4>2. Sanitize User Input\u003C\u002Fh4>\u003Cp>Sanitizing user input is another essential method to prevent XSS. It involves using tools or functions to remove or modify potentially harmful scripts, making them non-executable. For example, you can remove unauthorized HTML or JavaScript tags from user input before displaying it on the webpage.\u003C\u002Fp>\u003Ch4>3. Escape Displayed Data\u003C\u002Fh4>\u003Cp>When displaying user input on a webpage, you should escape the data to prevent it from being executed as a script. Escaping means converting special HTML characters (such as \u003Cspan style=\"background-color:hsl(137,79%,57%);\"> < \u003C\u002Fspan> , \u003Cspan style=\"background-color:hsl(137,79%,57%);\"> > \u003C\u002Fspan> , \u003Cspan style=\"background-color:hsl(137,79%,57%);\"> & \u003C\u002Fspan>) into characters that cannot be executed in HTML or JavaScript code.\u003C\u002Fp>\u003Ch3>Example: Sanitizing User Input\u003C\u002Fh3>\u003Cp>In the following example, we use \u003Cspan style=\"background-color:hsl(137,79%,57%);\">bleach\u003C\u002Fspan> , a Python library, to sanitize user input, particularly by removing or neutralizing harmful scripts.\u003C\u002Fp>\u003Cpre>\u003Ccode class=\"language-plaintext\">python\n\nimport bleach\n\n# Sanitize user input\nsanitized_input = bleach.clean(user_input)\u003C\u002Fcode>\u003C\u002Fpre>\u003Cp>In this example, the \u003Cspan style=\"background-color:hsl(137,79%,57%);\">bleach.clean()\u003C\u002Fspan> function cleans the user input, ensuring it is safe and cannot perform malicious actions.\u003C\u002Fp>\u003Cp> \u003C\u002Fp>\u003Cfigure class=\"image image_resized\" style=\"width:75%;\">\u003Cimg style=\"aspect-ratio:6000\u002F6000;\" src=\"https:\u002F\u002Fimagedelivery.net\u002Fg5Z0xlCQah-oO61sLqaEUA\u002F55_8_11zon_207c0f944c\u002Ftwsme\" alt=\"Secure Session Management\" width=\"6000\" height=\"6000\">\u003C\u002Ffigure>\u003Cp> \u003C\u002Fp>\u003Ch2>4. Secure Session Management\u003C\u002Fh2>\u003Cp>Session management is crucial for maintaining the security of user data in web applications, especially when dealing with logins and protecting sensitive information after the user is authenticated. Session hijacking attacks involve stealing a user's session data during an active login, which hackers can use to access sensitive information, such as user accounts or personal data.\u003C\u002Fp>\u003Cp>Preventing such attacks is essential for developers during the web application development process.\u003C\u002Fp>\u003Ch3>Methods to Prevent Session Hijacking\u003C\u002Fh3>\u003Ch4>1. Use HttpOnly and Secure Flags for Cookies\u003C\u002Fh4>\u003Cp>The \u003Cspan style=\"background-color:hsl(137,79%,57%);\">HttpOnly\u003C\u002Fspan> flag on cookies prevents the cookie data from being accessed via JavaScript, which reduces the risk of Cross-Site Scripting (XSS) attacks that might allow hackers to steal cookie data.\u003C\u002Fp>\u003Cp>The \u003Cspan style=\"background-color:hsl(137,79%,57%);\">Secure\u003C\u002Fspan> flag ensures that the cookie is only transmitted over HTTPS, protecting it from being intercepted during transmission over insecure channels.\u003C\u002Fp>\u003Ch4>2. Session Expiration After a Timeout\u003C\u002Fh4>\u003Cp>Set a session expiration time when the user has been inactive for a certain period, such as 15 or 30 minutes. This ensures that a session will expire and become unusable if there has been no user activity within the designated time frame.\u003C\u002Fp>\u003Ch4>3. Verify IP Address and User-Agent\u003C\u002Fh4>\u003Cp>Verifying the user's IP address and User-Agent for each session helps prevent hackers from using a hijacked session from another location. Checking whether the IP address or the user's device changes during the session adds an extra layer of security.\u003C\u002Fp>\u003Ch3>Example: Setting HttpOnly and Secure Cookies\u003C\u002Fh3>\u003Cp>Here is an example of how to set cookies with \u003Cspan style=\"background-color:hsl(137,79%,57%);\">HttpOnly\u003C\u002Fspan> and \u003Cspan style=\"background-color:hsl(137,79%,57%);\">Secure\u003C\u002Fspan> flags in Python (using Flask):\u003C\u002Fp>\u003Cpre>\u003Ccode class=\"language-plaintext\">python\n\n# Set HttpOnly and Secure flags for cookies\nresponse.set_cookie('session_id', session_id, httponly=True, secure=True)\u003C\u002Fcode>\u003C\u002Fpre>\u003Cp>In this example, when the user logs in, the \u003Cspan style=\"background-color:hsl(137,79%,57%);\">session_id\u003C\u002Fspan> cookie is set with the \u003Cspan style=\"background-color:hsl(137,79%,57%);\">HttpOnly\u003C\u002Fspan> flag, which prevents JavaScript from accessing the cookie, and the \u003Cspan style=\"background-color:hsl(137,79%,57%);\">Secure\u003C\u002Fspan> flag ensures the cookie is only sent over HTTPS, enhancing security in communication between the server and the user.\u003C\u002Fp>\u003Cp> \u003C\u002Fp>\u003Cfigure class=\"image image_resized\" style=\"width:75%;\">\u003Cimg style=\"aspect-ratio:6000\u002F6000;\" src=\"https:\u002F\u002Fimagedelivery.net\u002Fg5Z0xlCQah-oO61sLqaEUA\u002F57_10_11zon_2808b0533a\u002Ftwsme\" alt=\"Regular Monitoring and Updates\" width=\"6000\" height=\"6000\">\u003C\u002Ffigure>\u003Cp> \u003C\u002Fp>\u003Ch2>5. Regular Monitoring and Updates\u003C\u002Fh2>\u003Cp>Keeping software and development tools up to date is crucial for maintaining the security of your web app. Vulnerabilities in the libraries or frameworks you use might be discovered after the software or tools are released, and hackers may exploit these vulnerabilities to attack your web app.\u003C\u002Fp>\u003Cp>Regular updates prevent your system from being at risk from vulnerabilities that are exposed in older versions, which could significantly impact the security of your system and user data.\u003C\u002Fp>\u003Ch3>Protection Methods\u003C\u002Fh3>\u003Ch4>1. Update Libraries and Tools\u003C\u002Fh4>\u003Cp>Make it a priority to regularly update software to ensure you benefit from patches for security vulnerabilities and improvements in functionality, including updates to the operating systems used for development and server management.\u003C\u002Fp>\u003Ch4>2. Use Security Tools for Library Vulnerability Checks\u003C\u002Fh4>\u003Cp>Tools like OWASP Dependency-Check or other similar tools can be used to scan for potential vulnerabilities in the libraries you use to develop your web app.\u003C\u002Fp>\u003Ch4>3. Monitor Vulnerabilities Reported by Communities and Developers\u003C\u002Fh4>\u003Cp>When vulnerabilities are discovered in libraries or tools that you use, it’s important to update them immediately. If an immediate update is not possible, find quick ways to mitigate or close the vulnerability.\u003C\u002Fp>\u003Ch3>Example\u003C\u002Fh3>\u003Cp>If you're using Python and need to update installed packages to the latest version, you can use this command:\u003C\u002Fp>\u003Cpre>\u003Ccode class=\"language-plaintext\">bash\n\npip install --upgrade <package_name>\u003C\u002Fcode>\u003C\u002Fpre>\u003Cp>Updating to the latest package versions ensures you get security patches and new features that help improve the safety of your system.\u003C\u002Fp>\u003Ch4>Checking for Vulnerabilities in Libraries\u003C\u002Fh4>\u003Cp>Using OWASP Dependency-Check to scan for vulnerabilities in libraries used in your project can help protect against attacks using known vulnerable libraries.\u003C\u002Fp>\u003Cpre>\u003Ccode class=\"language-plaintext\">bash\n\ndependency-check --project <project_name> --scan <directory_to_scan>\u003C\u002Fcode>\u003C\u002Fpre>\u003Cp>This tool helps you check if any libraries in use have known vulnerabilities and provides recommendations on whether they need to be updated or removed from the project.\u003C\u002Fp>\u003Cp> \u003C\u002Fp>\u003Chr>\u003Cp> \u003C\u002Fp>\u003Ch2>Summary\u003C\u002Fh2>\u003Cp>Developing a secure web app involves several key aspects, such as preventing SQL Injection, encrypting data, preventing XSS, securely managing sessions, and regularly updating software. Using these techniques will help protect your web app from attacks and securely store user data.\u003C\u002Fp>\u003Cp>Writing secure code is not just about using techniques; it also requires considering security at every stage of web app development, from design to implementation. This approach ensures that your project is reliable and protected against cyber threats that may arise.\u003C\u002Fp>\u003Cp>🔵 Facebook: \u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\u002F\u002Fwww.facebook.com\u002Fsuperdev.school.th\">Superdev School  (Superdev)\u003C\u002Fa>\u003C\u002Fp>\u003Cp>📸 Instagram: \u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\u002F\u002Fwww.instagram.com\u002Fsuperdevschool\u002F\">superdevschool\u003C\u002Fa>\u003C\u002Fp>\u003Cp>🎬 TikTok: \u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\u002F\u002Fwww.tiktok.com\u002F@superdevschool\">superdevschool\u003C\u002Fa>\u003C\u002Fp>\u003Cp class=\"\" data-start=\"5978\" data-end=\"6095\">🌐 Website: \u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\u002F\u002Fwww.superdev.school\u002F\">www.superdev.school\u003C\u002Fa>\u003C\u002Fp>","7_2_11zon_jtubnbomp2.webp","https:\u002F\u002Ftwsme-r2.tumwebsme.com\u002Fsclblg987654321\u002Fh9vpwdr5iwahszb\u002F7_2_11zon_jtubnbomp2.webp","2026-03-04 08:47:58.706Z","",{"keywords":15,"locale":43,"school_blog":53},[16,23,28,33,38],{"collectionId":17,"collectionName":18,"created":19,"created_by":13,"id":20,"name":21,"updated":22,"updated_by":13},"sclkey987654321","school_keywords","2026-03-04 08:47:55.919Z","h8nsx5m3ntyll7x","prevent attacks in web apps","2026-04-10 16:13:37.077Z",{"collectionId":17,"collectionName":18,"created":24,"created_by":13,"id":25,"name":26,"updated":27,"updated_by":13},"2026-03-04 08:47:56.526Z","wwoqunmg6njbqr4","writing secure code","2026-04-10 16:13:37.299Z",{"collectionId":17,"collectionName":18,"created":29,"created_by":13,"id":30,"name":31,"updated":32,"updated_by":13},"2026-03-04 08:47:57.037Z","punnbfm11jr8pic","preventing SQL Injection","2026-04-10 16:13:37.530Z",{"collectionId":17,"collectionName":18,"created":34,"created_by":13,"id":35,"name":36,"updated":37,"updated_by":13},"2026-03-04 08:47:57.617Z","vn7psz75konpe7t","preventing XSS","2026-04-10 16:13:37.720Z",{"collectionId":17,"collectionName":18,"created":39,"created_by":13,"id":40,"name":41,"updated":42,"updated_by":13},"2026-03-04 08:47:58.229Z","e6id4fvf5sseu0b","web app security","2026-04-10 16:13:38.032Z",{"code":44,"collectionId":45,"collectionName":46,"created":47,"flag":48,"id":49,"is_default":50,"label":51,"updated":52},"en","pbc_1989393366","locales","2026-01-22 11:00:02.726Z","twemoji:flag-united-states","qv9c1llfov2d88z",false,"English","2026-04-10 15:42:46.825Z",{"category":54,"collectionId":55,"collectionName":56,"created":13,"expand":57,"id":71,"slug":72,"updated":13,"views":73},"spm4l1k5bgmhmmt","pbc_2105096300","school_blogs",{"category":58},{"blogIds":59,"collectionId":60,"collectionName":61,"created":62,"created_by":13,"id":54,"image":63,"image_alt":13,"image_path":64,"label":65,"name":66,"priority":67,"publish_at":68,"scheduled_at":13,"status":69,"updated":70,"updated_by":13},[],"sclcatblg987654321","school_category_blogs","2026-03-04 08:31:18.590Z","50hyjr6os45_ayazwr5gq7.png","https:\u002F\u002Ftwsme-r2.tumwebsme.com\u002Fsclcatblg987654321\u002Fspm4l1k5bgmhmmt\u002F50hyjr6os45_ayazwr5gq7.png",{"en":66,"th":66},"Knowledge",0,"2026-03-18 02:25:41.222Z","published","2026-04-25 02:32:14.497Z","o6rcvfhmp3abtue","writing-secure-code-preventing-attacks-in-web-apps",218,"h9vpwdr5iwahszb",[20,25,30,35,40],"2025-07-07 05:07:14.291Z","Learn how to prevent attacks in web apps such as SQL Injection, XSS, and session management to enhance the security of your web application.","2026-04-22 07:10:06.842Z",1,{"th":72,"en":72}]