Shulou(Shulou.com)05/31 Report--

PHP development security problem example analysis, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

For the development of Internet applications, developers must always keep in mind the concept of security and reflect it in the developed code. The PHP scripting language doesn't care much about security, especially for most inexperienced developers. Whenever you do anything that involves financial matters, you should pay special attention to security considerations.

General points of security protection

1. Do not trust the form

For general Javascript foreground authentication, because the user's behavior is not known, for example, the browser's javascript engine is turned off, so malicious data is sent to the server through POST. Authentication needs to be done on the server side to validate the data passed to each php script to prevent XSS attacks and SQL injection

2. Do not trust users

Assume that every piece of data received by your website has malicious code and hidden threats, and every piece of data should be cleaned up.

3. Turn off global variables

Configure the following in the php.ini file: register_globals = Off

If this configuration option is turned on, there will be great security risks. For example, there is a process.php script file that inserts the received data into the database, and the form that receives the user input data might be as follows:

In this way, when the data is submitted to process.php, php registers a $username variable, submits the variable data to process.php, and sets such a variable for any POST or GET request parameters. If the display is not initialized, the following problems occur:

Here, assuming that the authenticated_user function is to determine the value of the $authorized variable, if register_globals configuration is turned on, any user can send a request to set the value of the $authorized variable to any value so that the validation can be bypassed.

All of this submission data should be obtained through the PHP predefined built-in global array, including $_ POST, $_ GET, $_ FILES, $_ SERVER, $_ REQUEST, etc., where $_ REQUEST is a joint variable of the $_ GET/$_POST/$_COOKIE array, and the default order is $_ COOKIE, $_ POST, and $_ GET.

Recommended security configuration options

Error_reporting is set to Off: do not expose error messages to users. You can set it to ON when developing.

Safe_mode is set to Off

Register_globals is set to Off

Disable the following functions: system, exec, passthru, shell_exec, proc_open, popen

Open_basedir is set to / tmp, which allows session information to be stored while setting up a separate site root directory

Expose_php is set to Off

Allow_url_fopen is set to Off

Allow_url_include is set to Off

SQL injection attack

For SQL statements that operate on the database, you need to pay special attention to security, because the user may enter a specific statement to change the functionality of the original SQL statement. An example similar to the following:

$sql = "select * from pinfo where product ='$product'"

At this point, if the $product parameter entered by the user is:

39 years; DROP pinfo; SELECT 'FOO

Then the final SQL statement looks like this:

Select product from pinfo where product ='39; DROP pinfo; SELECT 'FOO'

This will become three SQL statements, which will cause the pinfo table to be deleted, which will have serious consequences.

This problem can be solved simply by using PHP's built-in functions:

$sql = "Select * from pinfo where product ='". Mysql_real_escape_string ($product). "'"

There are two things you need to do to prevent SQL injection attacks:

Type verification is always performed on the input parameters

Mysql_real_escape_string function is always used to escape special characters such as single quotation marks, double quotation marks, back quotation marks, etc.

However, based on development experience, do not turn on php's Magic Quotes, which has been abolished in php6 and is always escaped on its own when needed.

Prevent basic XSS attacks

Unlike other attacks, XSS attacks are carried out on the client side. The most basic XSS tool is to prevent a javascript script from stealing the data submitted by the user and the cookie on the form page to be submitted by the user.

XSS tools are more difficult to protect than SQL injection. Websites of major companies have been attacked by XSS. Although this attack has nothing to do with the php language, you can use php to filter user data to protect user data. Here, the main use is to filter user data, generally filtering out HTML tags, especially a tag. Here is a common filtering method:

Function transform_HTML ($string, $length = null) {/ / Helps prevent XSS attacks / / Remove dead space. String = trim ($string); / / Prevent potential Unicode codec problems. String = utf8_decode ($string); / / HTMLize HTML-specific characters. $string = htmlentities ($string, ENT_NOQUOTES); $string = str_replace ("#", "#", $string); $string = str_replace ("%", "%", $string); $length = intval ($length); if ($length > 0) {$string = substr ($string, 0, $length);} return $string;}

This function converts the special characters of HTML into HTML entities, which the browser displays as plain text when rendering the text. For example, bold will be displayed as:

BoldText

At the core of the above function is the htmlentities function, which converts html special tags into html entity characters, which filters most XSS attacks.

But for experienced XSS attackers, there are more ingenious ways to attack: use their malicious code in hexadecimal or utf-8 encoding instead of plain ASCII text, for example:

The result rendered by the browser is actually:

Dosomethingmalicious

In this way, the purpose of the attack is achieved. To prevent this, you need to convert # and% to their corresponding entity symbols based on the transform_HTML function, and add the $length parameter to limit the maximum length of the submitted data.

Using SafeHTML to prevent XSS attacks

The above defense against XSS attacks is simple, but does not include all the user's tags, and there are hundreds of ways to bypass filter functions to submit javascript code, and there is no way to completely prevent this situation.

At present, there is no single script that can guarantee that it will not be breached, but there is always one that is relatively better protected. There are two ways of security: whitelist and blacklist. The whitelist is simpler and more effective.

One whitelist solution is SafeHTML, which is smart enough to identify valid HTML and then remove any dangerous tags. This needs to be parsed based on the HTMLSax package.

Install the method of using SafeHTML:

1. Go to http://pixel-apes.com/safehtml/?page=safehtml to download the latest SafeHTML2, put the files in the server's classes directory, which contains all the SafeHTML and HTMLSax libraries 3, include SafeHTML class files in your own script 4, create a SafeHTML object 5, and filter using the parse method

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.