Shulou(Shulou.com)06/03 Report--

This article to share with you is about PHP development security issues how to achieve and PHP development recommended security configuration options, Xiaobian think quite practical, so share to everyone to learn, I hope you can read this article after harvest, not much to say, follow Xiaobian to see it.

When developing an Internet service, security concepts must always be kept in mind and reflected in the code being developed. PHP scripting languages are not concerned with security issues, especially for most inexperienced developers. Whenever you talk about any transaction involving money, you need to pay special attention to security considerations, such as developing a forum or a shopping cart. The following small series to explain how to achieve PHP development security issues? What are the recommended security configuration options for PHP development?

How to implement HP development security issues

General points of safety protection

Do not trust forms

For general Javascript foreground verification, since it is impossible to know the user's behavior, such as shutting down the browser's javascript engine, such malicious data is sent to the server through POST. Server-side validation is required to validate the data passed to each php script to prevent XSS attacks and SQL injections

Do not trust users

Assume that every piece of data your website receives is malicious code, hidden threats, and clean every piece of data.

Close global variables

Configure the following in php.ini file:

register_globals=Off

If this configuration option is turned on, there will be a big security risk. For example, there is a script file process.php that inserts the received data into the database. The form that receives the user input data may be as follows:

Thus, when submitting data to process.php, php registers a $username variable, submits the variable data to process.php, and sets this variable for any POST or GET request parameters. If it is not displayed for initialization then the following problem occurs:

//Define$authorized=trueonlyifuserisauthenticated

if(authenticated_user()){

$authorized=true;

}

>

Here, assuming that the authenticated_user function determines the value of the $authorized variable, if the register_globals configuration is turned on, any user can send a request to set the value of the $authorized variable to any value to bypass this verification.

All of these commit data should be obtained through PHP's predefined built-in global arrays, including $_POST,$_GET,$_FILES,$_SERVER,$_REQUEST, etc., where $_REQUEST is a union variable of $_GET/$_POST/$_COOKIE, and the default order is $_COOKIE,$_POST, and $_GET.

What are the recommended security configuration options for PHP development?

error_reporting is set to Off: Do not expose error messages to users. It can be set to ON when developing.

safe_mode is set to Off

register_globals is set to Off

Disable the following functions: system, exec, passthru, shell_exec, proc_open, popen

open_basedir is set to/tmp, which allows session information to be stored and sets a separate website root directory.

expose_php is set to Off

allow_url_fopen is set to Off

allow_url_include is set to Off

SQL injection attacks

SQL statements that manipulate databases require special attention to security, because users may enter specific statements that change the functionality of the original SQL statement. Similar to the following example:

$sql="select*frompinfowhereproduct='$product'";

At this point, if the user enters the $product parameter as:

39';DROPpinfo;SELECT'FOO

The final SQL statement looks like this:

selectproductfrompinfowhereproduct='39';DROPpinfo;SELECT'FOO'

This would result in three SQL statements that would cause the pinfo table to be deleted, which would have serious consequences.

This problem can be easily solved using PHP's built-in functions:

$sql='Select*frompinfowhereproduct='"'

mysql_real_escape_string($product). '"';

Preventing SQL injection attacks requires two things:

Type validation is always performed on input parameters

Special characters such as single quotes, double quotes, and back quotes are always escaped using the mysql_real_escape_string function

However, according to development experience, do not turn on php MagicQuotes, this feature has been abolished in php6, always escape when needed.

Prevent basic XSS attacks

Unlike other attacks, XSS attacks are client-side, and the most basic XSS tool is to prevent a javascript script from stealing user-submitted data and cookies from a user-submitted form page.

XSS tools are more difficult to protect than SQL injection, all major company websites have been XSS attacks, although this attack has nothing to do with php language, but you can use php to filter user data to protect user data purposes, the main use here is to filter user data, generally filter out HTML tags, especially a tags. Here is a common filtering method:

functiontransform_HTML($string,$length=null){

//HelpspreventXSSattacks

//Removedeadspace.

$string=trim($string);

//PreventpotentialUnicodecodecproblems.

$string=utf8_decode($string);

//HTMLizeHTML-specificcharacters.

$string=htmlentities($string,ENT_NOQUOTES);

$string=str_replace("#","#",$string);

$string=str_replace("%","%",$string);

$length=intval($length);

if($length>0){

$string=substr($string,0,$length);

}

return$string;

}

This function converts HTML special characters into HTML entities that the browser displays as plain text when rendering the text. If bold is displayed:

BoldText

At the heart of the above function is the htmlentities function, which converts html special tags into html entity characters, thus filtering most XSS attacks.

But for experienced XSS attackers, there are more subtle ways to attack: use hexadecimal or utf-8 encoding instead of plain ASCII text for their malicious code, such as the following:

The result of this browser rendering is actually:

This achieved the goal of the attack. To prevent this, you need to convert #and % to their corresponding entity symbols based on the transform_HTML function, and add the $length parameter to limit the maximum length of the submitted data.

SafeHTML prevents XSS attacks

The above protection against XSS attacks is very simple, but it does not include all the user tags, and there are hundreds of ways to bypass the filter function to submit javascript code, and there is no way to completely prevent this situation.

Currently, no single script is guaranteed to be impenetrable, but there is always a relatively better defense. There are two ways to protect yourself: whitelisting and blacklisting. White lists are simpler and more effective.

One whitelisting solution is SafeHTML, which is smart enough to recognize valid HTML and then remove any dangerous tags. This needs to be parsed based on HTMLSax packages.

How to install SafeHTML:

1. Go to http://pixel-apes.com/safehtml/page=safehtml to download the latest SafeHTML

2. Put the file into the server's classes directory, which contains all SafeHTML and HTMLSax libraries.

3. Include SafeHTML class files in your own scripts

Create a SafeHTML object

5. Filter using parse method

/*Ifyou'restoringtheHTMLSax3.phpinthe/classesdirectory,along

withthesafehtml.phpscript,defineXML_HTMLSAX3asanullstring.*/

define(XML_HTMLSAX3,'');

//Includetheclassfile.

require_once('classes/safehtml.php');

//Definesomesamplebadcode.

$data="Thisdatawouldraiseanalert";

//Createasafehtmlobject.

$safehtml=newsafehtml();

//Parseandsanitizethedata.

$safe_data=$safehtml->parse($data);

//Displayresult.

echo'Thesanitizeddatais

'.$ safe_data;

>

SafeHTML doesn't completely protect against XSS attacks, it's just a relatively complex script to verify the way.

Use one-way HASH encryption to protect data

One-way hash encryption ensures that the password for each user is unique and cannot be broken, only the end user knows the password, and the system does not know the original password. One advantage of this is that an attacker cannot learn the original password data after the system has been compromised.

Encryption and hashing are two different processes. Unlike encryption, Hash is undecryptable and unidirectional; two different strings may get the same hash value, and there is no guarantee that the hash value is unique.

The hash value processed by MD5 function cannot be cracked basically, but it is always possible, and there is also a hash dictionary for MD5 on the Internet.

Encrypt data using mcrypt

MD5hash function can display data in readable form, but for storing user credit card information, it needs to be encrypted and stored, and it needs to be decrypted later.

The best way to do this is to use the mcrypt module, which contains more than 30 encryption methods to ensure that only the encryptor can decrypt the data.

$data="Stuffyouwantencrypted";

$key="Secretpassphraseusedtoencryptyourdata";

$cipher="MCRYPT_SERPENT_256";

$mode="MCRYPT_MODE_CBC";

functionencrypt($data,$key,$cipher,$mode){

//Encryptdata

return(string)

base64_encode

(

mcrypt_encrypt

(

$cipher,

substr(md5($key),0,mcrypt_get_key_size($cipher,$mode)),

$data,

$mode,

substr(md5($key),0,mcrypt_get_block_size($cipher,$mode))

)

);

}

functiondecrypt($data,$key,$cipher,$mode){

//Decryptdata

return(string)

mcrypt_decrypt

(

$cipher,

substr(md5($key),0,mcrypt_get_key_size($cipher,$mode)),

base64_decode($data),

$mode,

substr(md5($key),0,mcrypt_get_block_size($cipher,$mode))

);

}

>

The mcrypt function requires the following information:

1. Data to be encrypted

Key used to encrypt and decrypt data

3. Specific algorithm for encrypting data selected by the user (cipher: such as MCRYPT_TWOFISH192, MCRYPT_SERPENT_256, MCRYPT_RC2, MCRYPT_DES, and MCRYPT_LOKI97)

4. Mode used for encryption

The seed of encryption, the data used to initiate the encryption process, is an additional binary data used to initialize the encryption algorithm.

6. The encryption key and the length of the seed can be obtained by using the mcrypt_get_key_size function and the mcrypt_get_block_size function.

If both the data and the key are stolen, then the attacker can traverse the ciphers to find the way to run, so we need to encrypt the key MD5 once to ensure security. At the same time, since the encrypted data returned by the mcrypt function is a binary data, saving it to the database field will cause other errors. Base64encode is used to convert these data into hexadecimal numbers for convenience of storage.

The above is how to implement PHP development security issues and PHP development recommended security configuration options, Xiaobian believes that some knowledge points may be our daily work will see or use. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.