Shulou(Shulou.com)06/03 Report--

This article focuses on "what are the common security issues in PHP development", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Now let the editor take you to learn "what are the common security problems in PHP development?"

Table of contents:

1. Some security configurations of php

(1) disable php prompt error function

(2) turn off some "bad functions"

(3) configure file permissions strictly.

2. With strict data verification, not all your users are "good" people.

2.1 in order to ensure the security and robustness of the program, data validation should include content.

2.2 programmers tend to miss point or things that need to be paid attention to

3. Prevent injection

3.1 simply judge whether there is an injection vulnerability and how it works.

3.2Common mysql injection statements

(1) do not use user name and password

(2) using a user without entering a password

(3) guess a user's password

(4) increase the weight when inserting data

(5) the same principle of renewal claim and insertion claim.

(6) malicious updates and deletions

(7) union, join, etc.

(8) wildcard symbol%, _

(9) there is also a lot of guessing table information injection sql.

33 some methods of preventing injection

2.3.1 some functions and considerations that php can be used to prevent injection.

2.3.2 Anti-injection character priority.

2.3.3 Anti-injection code

(1) if the parameter is a number, use the intval () function directly.

(2) filtering for non-text parameters

(3) Anti-injection code for text data.

(4) of course, there are other codes combined with addslashes and mysql_escape_string.

4. Prevent xss attacks

4.1Xss attack process

4.2 places of common xss attacks

4.3Anti-XSS method

5 、 CSRF

5.1 briefly explain the principle of CSRF

5.2 Prevention methods

6. Hotlink protection

7. Resist CC attacks

1. Some security configurations of php

(1) disable php prompt error function

Change display_errors in php.ini to

The copy code is as follows:

Display_errors = OFF

Or add before the php file

The copy code is as follows:

Error_reporting (0)

1) use error_reporting (0); examples of failures:

A file code:

The copy code is as follows:

Error:

The copy code is as follows:

Parse error: parse error, expecting `',''or`';''in E:\ webphp\ 2.php on line 4

2) use error_reporting (0); successful examples:

A file code:

The copy code is as follows:

B file code:

The copy code is as follows:

This is a lot of phper saying that using error_reporting (0) doesn't work. In the first example, there is a fatal error in A.php, which can not be executed, and if you can't execute the server, you don't know this function, so you also report an error.

In the second example, if the a.php executes successfully, the server knows that it has the ability to suppress errors, so it suppresses even if there are errors in the b.php.

Ps: cannot suppress mysql errors.

(2) turn off some "bad functions"

1) disable the magic quotes function

Put magic_quotes_gpc = OFF in php.ini

Avoid repeated escape with addslashes, etc.

2) close register_globals = Off

Put register_globals = OFF in php.ini

In the case of register_globals = ON

Address column: https://www.jb51.net?bloger=benwin

The copy code is as follows:

In this case, some uninitialized variables can be easily modified, which may be fatal. So turn off register_globals = OFF

(3) configure file permissions strictly.

Assign permissions to the corresponding folder. For example, files containing uploaded pictures cannot be executed and can only be read.

2. With strict data verification, not all your users are "good" people.

I remember when I was discussing data verification with a friend, he said, "Don't think so badly of all your users!" But the problem that the author wants to say should not appear in our development scenario, what we need to do is to strictly verify and control the data flow, even if one of the 100 million users is a bad user can be fatal, and good users sometimes in the data input box inadvertently enter Chinese, he has inadvertently become "bad".

2.1 in order to ensure the security and robustness of the program, data validation should include

(1) whether the key data exists. For example, whether the data id exists or not

(2) whether the data type is correct. For example, delete whether the data id is an integer

(3) data length. If the field is of type char (10), strlen should judge the data length.

(4) whether the data contains dangerous characters

Data verification some people advocate that the function is completed and then slowly write security verification, while others write verification while developing. The author prefers the latter, both of which the author has tried, and then found that the verification written by the latter is relatively robust, mainly because the security issues that just came to mind during the development are relatively complete, and there are two problems when writing again after the development of the function. One phper is eager to finish the target hastily, and the other is that some point is really omitted.

2.2 programmers tend to leave out point or things to pay attention to:

(1) data entering the database must be safely verified. When I was involved in the development of an internal system of a company in Guangzhou, I saw that the data of $_ POST was passed directly to the class function classFunctionName ($_ POST). The reason is that it is used internally by the company and does not have to be so strict. Regardless of the coupling between logical operation and data manipulation, the operation without judgment is fatal. Security verification must be, there is no reason to evade.

(2) data length problems, such as database table field char (25), most phper consider whether it is empty and whether the data type is correct, but ignore the character length. (this is more common among beginners, and the author used to have this idea.)

(3) it is thought that the front end has been verified by js judgment, and the background does not need judgment verification. This is also fatal, to know that it takes only a few minutes to forge a form, js judgment is only to reduce the number of user submissions to improve the user experience, reduce http requests to reduce server pressure, in a secure situation can not prevent "villains", of course, if legitimate users under the control of js authentication is perfect, but as phper we can not only js verification and abandon another security verification.

(4) lack of verification of some properties of the form, such as select, checkbox, radio, button, etc. The developer has set their values and ranges (white name single values) on the web page. These attribute values are generally not verified in js verification, because legitimate users only have the right to choose but not to modify them, and then phper will not verify the data when it accepts data processing at the back end. This is a habitual thinking. There is a security problem, the villain is a fake form.

(5) the corresponding element name of the form is the same as the field name of the data table, such as the user name field of the user table is user_name, and then the user name input box in the form is also user_name, which is no different from exposing the library.

(6) filtering dangerous characters, such as anti-injection, will be explained independently below.

3. Prevent injection

3.1 simply judge whether there is an injection vulnerability and how it works.

URL: https://www.jb51.net/benwin.php?id=1 is running normally, sql statements such as: select * from phpben where id = 1

(1) URL: https://www.jb51.net/benwin.php?id=1' sql statement such as: select * from phpben where id = 1 'and then run an exception. This shows that the benwin.php file does not perform "'" filtering and intval () shaping on the value of id. Of course, I wonder if other characters such as "%", "/ *" and so on can be exhaustively tested in a similar way (used by many test software).

(2) URL: https://www.jb51.net/benwin.php?id=1 and 1, then the sql statement may be select * from phpben where id = 1 and 1, which runs normally and the result is the same as the https://www.jb51.net/benwin.php?id=1 result, which means that benwin.php may not filter the spaces "" and "and" (here is possible, so let's see the next point)

(3) URL: https://www.jb51.net/benwin.php?id=1 and 1: 2, then the sql statement may be select * from phpben where id = 1 and 1: 2. If the running result is abnormal, it indicates that "and 1: 2" in the sql statement works, so it is certain that there is an injection vulnerability in benwin.php if all three conditions are met.

Ps: the get method is used to verify here, and post can also be used. As long as you press the input above, you can verify them one by one.

3.2Common mysql injection statements.

(1) do not use user name and password

The copy code is as follows:

/ / normal sentence

$sql = "select * from phpben where user_name='admin' and pwd = '123'"

/ / enter 'or'='or' or' or 1 room1 in the user name box and sql as follows

$sql = "select * from phpben where user_name=' 'or'='or'' and pwd ='"

$sql = "select * from phpben where user_name=''or 1 and pwd =''"

So you don't have to enter a password. It is said that the author has the impulse to try when he sees the login box.

(2) use a user without entering a password.

The copy code is as follows:

/ / normal sentence

$sql = "select * from phpben where user_name='$username' and pwd ='$pwd'"

/ / if the user name is benwin, then enter the benwin'# password in the user name box, then $sql becomes

$sql = "select * from phpben where user_name=' benwin'#' and pwd ='$pwd'"

This is because one of the notes in mysql is "#", and # in the above sentence has already noted the following, so the password can not be entered or entered at will. Some people on the Internet say to note with "/ *". What the author wants to mention is that mysql will report an error only when the note begins and does not end with "* /". It does not mean that "/ * /" cannot be noted, but it is very difficult to add "* /" here to end the note, and "-" you can also note mysql, but pay attention to "-". There is at least one space after "-", that is, "-". Of course, all three kinds of code should be taken into account. It is worth mentioning that a lot of anti-injection code does not take the "-" into account.

(3) guess a user's password

The copy code is as follows:

/ / normal sentence

$sql = "select * from phpben.com where user_name='$username' and pwd ='$pwd'"

/ / enter "benwin' and left (pwd,1) = 'paired #" in the password input box, then $sql is

$sql = "select * from phpben.com where user_name=' benwin' and left (pwd,1) = 'paired cards' and pwd ='$pwd'"

If it works properly, the first character of the password is p, and guess the remaining characters in the same way.

(4) increase the weight when inserting data

The copy code is as follows:

/ / normal statement, level 1

$sql = "insert into phpben.com (`user_ name`, `pwd`, `level`) values ('benwin','iampwd',1)"

/ / change the statement into a password string

$sql = "insert into phpben.com (`user_ name`, `pwd`, `level`) values ('benwin','iampwd',5) #', 1)"

$sql = "insert into phpben.com (`user_ name`, `pwd`, `level`) values ('benwin','iampwd',5)--', 1)"; this elevates a user with permission 1 to level 5

(5) the same principle of renewal claim and insertion claim.

The copy code is as follows:

/ / normal sentence

$sql = "update phpben set `user_ name` = 'benwin', level=1"

/ / the final $sql obtained by entering the user name value

$sql = "update phpben set `user_ name` = 'benwin',level=5#', level=1"

$sql = "update phpben set `user_ name` = 'benwin',level=5--', level=1"

(6) malicious updates and deletions

The copy code is as follows:

/ / normal sentence

$sql = "update phpben set `user_ name` = 'benwin' where id = 1"

/ / after injection, the malicious code is "1 or id > 0"

$sql = "update phpben set `user_ name` = 'benwin' where id = 1 or id > 0"

/ / normal sentence

$sql = "update phpben set `user_ name` = 'benwin' where id=1"

/ / after injection

$sql = "update phpben set `user_ name` = 'benwin' where id > zero' where id=1"

$sql = "update phpben set `user_ name` = 'benwin' where id > 0Mui -' where id=1"

(7) union, join, etc.

The copy code is as follows:

/ / normal sentence

$sql = "select * from phpben1 where `user_ name` = 'benwin'"

/ / after injection

$sql = "select * from phpben1 where `user _ name` = 'benwin' uninon select * from phpben2#'"

$sql = "select * from phpben1 where `user _ name` = 'benwin' left join. #'"

(8) wildcard symbol%, _

The copy code is as follows:

/ / normal sentence

$sql = "select * from phpben where `user_ name` = 'benwin'"

/ / injection wildcard symbol% matches multiple characters, while one _ matches one character, such as _ _ matches two characters

$sql = "select * from phpben where `user_ name` like'% b'"

$sql = "select * from phpben where `user_ name`like'_ baked'"

This works as long as one user's name starts with b, "_ b _" matches three characters, and one of the three characters is b. This is why when introducing the addslashes () function, note that there is no escape of% and _ (in fact, this is a lot of phper do not know what to filter% and _ underscore, just blindly follow the online code)

(9) there is also a lot of guessing table information injection sql.

The copy code is as follows:

/ / normal sentence

$sql = "select * from phpben1 where `user _ name` = 'benwin'"

/ / guess the name of the table. If it runs normally, it means there is a phpben2 table.

$sql = "select * from phpben1 where `user _ name` = 'benwin' and (select count (*) from phpben2) > zero'"

/ / guess the table field. If it runs normally, it means that there is a field colum1 in the phpben2 table.

$sql = "select * from phpben1 where `user _ name` = 'benwin' and (select count (colum1) from phpben2) > zero'"

/ / guess the field value

$sql = "select * from phpben1 where `user _ name` = 'benwin' and left (pwd,1) =' paired roommates'"

Of course, there are many, the author has not studied to the level of professionals, these are relatively common here, but also phper should know and master, rather than blindly copy and paste some anti-injection code online, know but do not understand it.

Some of the following anti-injection methods may be easier to understand in retrospect.

3.3 some methods to prevent injection

3.3.1 some functions and considerations that php can be used to prevent injection.

(1) addslashes and stripslashes.

Addslashes adds diagonal bars "\", "\ NULL" to these "'", "", "\" and "NULL". On the contrary, you should pay attention to whether php.ini turns on magic_quotes_gpc=ON. If you use addslashes, there will be repetition. So get_magic_quotes_gpc () should be checked before using it.

The general code is similar to:

The copy code is as follows:

If (! get_magic_quotes_gpc ()

{

$abc = addslashes ($abc)

}

In fact, this person who has a little study of php knows, but the author wants to introduce it systematically (it is not an expert article), so I wrote it by the way. Addslashes

(2) mysql_escape_string () and mysql_ real _ escape_string ()

Mysql_real_escape_string must be used (PHP 4 > = 4.3.0, PHP 5). Otherwise, you can only use mysql_escape_string.

The copy code is as follows:

If (PHP_VERSION > = '4.3')

{

$string = mysql_real_escape_string ($string)

} else

{

$string = mysql_escape_string ($string)

}

Mysql_escape_string () and mysql_ real _ escape_string () differ in that the latter determines the current database connection character set, in other words, a similar error occurs without connecting to the database:

The copy code is as follows:

Warning: mysql_real_escape_string () [function.mysql-real-escape-string]: Access denied for user 'ODBC'@'localhost' (using password: NO) in E:\ webphp\ test.php on line 11

(3) character substitution function and matching function

Functions such as str_replace () and perg_replace () are also mentioned here because they can be used to filter or replace sensitive and deadly characters.

3.3.2 Anti-injection character priority.

To prevent injection, you should first know which injection characters or keywords there are. Common mysql injection characters include character delimiters such as "'" and ""; logical keywords such as "and" and "or"; mysql notes characters such as "#", "-", "/ * * /"; mysql wildcard "%", "_"; mysql keyword "select | insert | update | * | join | into | load_file | outfile"

(1) for some parameters with a specified format, the highest priority of anti-injection is the space "".

For example, some bank card numbers, ID card numbers, mailboxes, phone numbers, birthdays, postal codes, etc., which have their own format and cannot have space symbols, are generally the first to filter out spaces (including some space "variants") when filtering, because other character defining symbols, logical keywords, mysql notes, note that the following figure shows that what is important is "'", "".

Ps: variants of space characters are: "% 20", "\ n", "\ r", "\ r\ n", "\ n\ r", "chr (" 32 ")" which is why the mysql_escape_string () and mysql_real_escape_string () functions escape "\ n" and "\ r". In fact, many phper only know how to escape\ n,\ r and do not know why. When mysql parses\ n,\ r, they are treated as spaces. After testing and verification, the code will not be posted here.

"and", "or", "\", "#", "-"

The logic key can combine a lot of injection code; mysql notes to note all the characters after the inherent sql code so that the injected sql statement can run normally; "\" can also combine many injection characters\ X00,\ x1a.

Ps:sql parsing "#", "-" is not considered by most mysql anti-injection code, and is ignored by many phper. And because some phper assign values to parameters will be separated by "-", so the author suggests not to write parameters like this, of course, you can also filter parameters when "-" (note that there is a space, no space is not resolved as a note) when a whole filter rather than filter "-", so as to avoid too many filter parameters.

(3) "null", "%", "_"

These can not be independent, not in specific circumstances, such as the wildcard character "%, _" should be under the premise of the mysql like clause. Therefore, the filtering of "%" and "_" is generally filtered only when searching for relevance, and they cannot be included in the usual filtering queue, because some, such as mailboxes, can have "_" characters.

(4) the keyword "select | insert | update | delete | * | union | join | into | load_file | outfile"

You may ask why these important keywords have such a low priority. What the author wants to say is that these keywords can't be hurt without "'", "and", "or" and so on. In other words, these keywords are not "independent" and "dependent". Of course, just because the priority is low, it doesn't mean you don't filter.

3.3.3 Anti-injection code.

(1) if the parameter is a number, use the intval () function directly.

Note: many popular anti-injection codes on the Internet are only filtered with addslashes (), mysql_escape_string (), mysql_real_escape_string () or any combination of the three, but phper thinks it is filtered, and there is also a loophole accidentally, that is, when the parameter is a number:

The copy code is as follows:

$id = addslashes ($_ POST ['id']); / / correct is $id = intval ($_ POST [' id'])

$sql = "select * from phpben.com where id = $id"

$sql = "select * from phpben.com where id = 1 or 1"

It is easy to find that many injections of post data filtered by addslashes no longer work, but $id does not have intval, which leads to vulnerabilities. This is a small detail, and carelessness will lead to vulnerabilities.

(2) filtering for non-text parameters

Text parameters mean that there may be "'", "'" and other contents in the title, message, content, etc., and it is impossible to escape or replace them all when filtering.

But non-text data can.

The copy code is as follows:

Function _ str_replace ($str)

{

$str = str_replace (",", $str)

$str = str_replace ("\ n", "", $str)

$str = str_replace ("\ r", "", $str)

$str = str_replace ("',", $str)

$str = str_replace ('',', $str)

Str = str_replace ("or", "", $str)

Str = str_replace ("and", "", $str)

$str = str_replace ("#", ", $str)

$str = str_replace ("\", ", $str)

$str = str_replace ("-", ", $str)

Str = str_replace ("null", "", $str)

$str = str_replace ("%", ", $str)

/ / $str = str_replace ("_", ", $str)

$str = str_replace (">", ", $str)

$str = str_replace ("

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.