Shulou(Shulou.com)06/03 Report--

This article introduces the knowledge of "what are the common security problems in PHP". In the operation of practical cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

1. SQL injection

I bet a bag of spicy gluten, you'll see it here. SQL injection is one of the biggest threats to your website. If your database is attacked by someone else's SQL injection, others can transfer out of your database, perhaps with more serious consequences.

If a website wants to obtain dynamic data from a database, it must execute a SQL statement, as an example:

You searched for:

We found: Absolutely nothing because this is a demo

Because we print out the user's content directly, without any filtering, illegal users can splice URL:

Search.php?q=%3Cscript%3Ealert (1)% 3B%3C%2Fscript%3E

The content rendered by PHP is as follows. You can see that the Javascript code will be executed directly:

You searched for: alert (1)

We found: Absolutely nothing because this is a demo

Q: what's the big deal that JS code is executed?

Javascript can:

Steal Cookie from your user's browser

Get your site login account and password through the browser's password remembering function.

Steal users' confidential information

With JS permission, your user can do everything on the site, that is, user A can impersonate as any user.

Embed malicious code in your web page

...

Q: how to prevent this problem?

The good news is that more advanced browsers now have some basic XSS protection features, but don't rely on it.

The right thing to do is never trust any input from the user and filter out all the special characters in the input. This eliminates the vast majority of XSS attacks:

Because Include can load any file, not just PHP, an attacker can pass any file on the system as an include target.

Index.php?page=../../etc/passwd

This will cause the / etc/passwd file to be read and displayed on the browser.

To defend against such attacks, you must carefully consider the types that users are allowed to enter and delete potentially harmful characters, such as "." / ""\ "in the input characters.

If you really want to use a routing system like this (I don't recommend it in any way), you can automatically attach the PHP extension, delete any non-[a-zA-Z0-9] characters, and specify to load from a dedicated template folder so as not to include any non-template files.

I have seen the PHP code that caused this vulnerability many times in different development documents. Have a clear design idea from the start, allow the types of files you need to include, and delete redundant content. You can also construct an absolute path to read the file and verify that the file exists for protection instead of being read anywhere.

5. Insufficient password hash

Most Web applications need to save users' authentication information. If the password hash is good enough, it can protect the user's password from being illegally read when your website is compromised.

First of all, the last thing you should do is to store the user's password in clear text. It is an unalterable fact that most users will use the same password on multiple sites. When your site is hacked, it means that the user's accounts of other sites have also been hacked.

Second, you should not use a simple hash algorithm. In fact, all algorithms that are not optimized for password hashing should not be used. Hash algorithms such as MD5 or SHA are designed to be very fast. This is not what you need. The ultimate goal of password hashing is to make hackers spend endless time and energy unable to crack passwords.

Another important point is that you should add salt (Salt) to the password hash, which avoids the problem that two identical passwords will produce the same hash.

The following uses MD5 as an example, so please do not use MD5 to hash your password. MD5 is not secure.

If our users user1 and user315 have the same password ilovecats123, this password looks like a strong password, with letters and numbers, but in the database, the password hash data of the two users will be the same: 5e2b4d823db9d044ecd5e084b6d33ea5.

If a hacker takes down your website and gets the hash data, he will not need to violently crack the password of the user user315. We'll try to get him to make a lot of effort to crack your password, so we salt the data:

] > & passwd

Just like this, the contents of the / etc/passwd file are dumped into the XML file.

If you use libxml, you can call libxml_disable_entity_loader to protect yourself from such attacks. Please carefully check the default configuration of the XML library before using it to ensure that the configuration is successful.

9. Incorrect error reporting exposes sensitive data in a production environment

If you are not careful, sensitive information such as folder structure, database structure, connection information and user information may be leaked in the production environment due to incorrect error reporting.

You don't want users to see this, do you?

Generally, the configuration method varies depending on the framework or CMS you use. Usually the framework has settings that allow you to change the site to some kind of production environment. This redirects all user-visible error messages to the log file and displays non-descriptive 500 errors to the user, while allowing you to check against the error code.

But you should set up according to your PHP environment: error_reporting and display_errors.

10. Login restriction

Sensitive forms such as login should have a strict rate limit to prevent violent attacks. Save the number of failed login attempts for each user in the past few minutes, and if the rate exceeds the threshold you define, reject further login attempts until the end of the cooling-off period. Users can also be notified of login failures by email so that they know that their accounts are targeted.

This is the end of the content of "what are the common security issues in PHP". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.