Shulou(Shulou.com)06/02 Report--

This article mainly explains the "PHP operation user submission need to pay attention to which dangerous functions", the article explains the content is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "PHP operation user submission need to pay attention to which dangerous functions" bar!

PHP operates dangerous functions that users should pay attention to when submitting content

For our program development, the user's input is the first entrance to solve the security problem. Why would you say that? Whether it is SQL injection, XSS, or file upload vulnerabilities, they are all related to input parameters submitted by the user. Today we will not talk about these problems, we will focus on the following input to the user, there are some dangerous functions that cannot be used directly without verification, such as:

Include ($g)

Assuming that this $g is submitted by the user, we directly use this parameter to include the file without verification, and the parameter we pass is? g=/etc/passwd, then all the user account information on the server is likely to be leaked directly.

In addition, some functions that execute shell commands are extremely dangerous.

Echo system ($g)

When the parameter we pass is? g=ls-la /, the same server directory is also shown, which only shows the directory structure, and the consequences would be unimaginable if you use other more terrifying commands.

Similarly, we often manipulate files according to some id or specified file names, especially when deleting files, if not judged, then it is possible to delete some very important files directly.

Unlink. /'. $g)

We continue to structure $g as? g=../xxxx, and we can delete various system files if permissions permit.

In fact, some good suggestions have been given in PHP's official manual. We might as well take a look at what the PHP manual says.

The major weakness of many PHP programs is not the problem of the PHP language itself, but the lack of security awareness of the programmer. Therefore, you must always pay attention to the problems that may exist in each piece of code to discover the possible impact of incorrect data submission.

You must always pay attention to your code to make sure that every variable submitted from the client is properly checked, and then ask yourself the following questions:

Does this script only affect the expected files? Can abnormal data make a difference when it is submitted? Can this script be used for unplanned purposes? Can this script be combined with other scripts to do bad things? Are all transactions fully recorded?

You can also consider turning off register_globals,magic_quotes or other settings that make programming easier but confuse the legitimacy, source, and value of a variable. During development, you can use the error_reporting (E_ALL) mode to help check whether variables are checked or initialized before use, so as to prevent some abnormal data from being cluttered.

In fact, as long as these recommendations can be followed, most of the security problems can be solved. Again, you can't trust any of the user's output. Please do all kinds of verification during the test, including but not limited to boundary values, special symbols, special commands, out-of-bounds values, directory permissions, etc. Do not use user input as a direct parameter to include files, perform scripts, and file operations without necessity, and do various forms of filtering validation if you must.

Thank you for reading, the above is the content of "PHP operation users need to pay attention to what dangerous functions when submitting content". After the study of this article, I believe you have a deeper understanding of the problem of which dangerous functions need to be paid attention to when PHP operation users submit content, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.