1什么是安全性
所谓安全性就是保护web应用程序与网页不会受到黑客的攻击。有些黑客纯粹是为了好玩而入侵他人的电脑,但有更多的黑客费劲心思要窃取他人电脑中的机密文件,甚至使整台电脑瘫痪来达到他的目的。现象在网上有很多可以让黑客使用的软件,这些软件多半是免费的而且简单好用,所以一般人要攻击您的电脑,并不是一件非常困难的事情。关键是您对电脑进行了什么样的保护?如果只是安装了查毒软件或者防火墙以为平安无事了,那么您对安全性的真正意义可以说是完全不了解。
2 register global
从PHP4.2.0开始,php.ini的register_global选项的默认值预设为Off。当register_globals设定为On时,您的程序将可以接收来自服务器中的各种环境变量,包括表单提交的变量,而且由于PHP不必事先初始化变量的值,从而导致很大的安全隐患.例如HTML表单的请求变量。由于PHP不需要事先初始化变量的值,这就会更容易写出不安全的代码。这是个很艰难的抉择,但PHP社区还是决定默认关闭此选项。当打开时,人们使用变量时确实不知道变量是哪里来的,只能想当然。但是register_globals的关闭改变了这种代码内部变量和客户端发送的变量混杂在一起的糟糕情况。
3 安全模式
安全模式( safe_mode)是PHP用来限制文档的存取、限制环境变量的存取,以及控制外部程序的执行。
由于网站服务器是以单一系统使用者的模式在运行,因此这个系统的使用者账号必须能够读取每个使用者的文档。这表示在网站服务器上执行的任何代码文档都能够存取每个使用者的文档。PHP的安全模式在多用户的系统上设置一些限制选项来保障程序的安全运行。安全模式只能限制PHP的文档,但是不能限制PHP执行的外部应用程序。因此将可执行的应用程序放置在一个安全的文件夹内,不要让外部用户执行。 启动PHP的安全模式,将php.ini文件的safe_mode选项(directive)设置为On:
safe_mode = On
事例1:
test.php内容如下:
<?php if($authorized){ echo "变量赋值"; }else{ echo "变量没有赋值"; }当php.ini中的register_globals=Off时
访问网址:http://localhost/test.php?authorized=1
输出结果为:
变量没有赋值。
当php.ini中的register_globals=On时
攻击:
变量未初始化,可以通过url对变量赋值
输出结果为
变量赋值
防护:
变量初始化,阻止通过url对变量赋值进行攻击。
需将代码改为:
<?php $authorized=false; if($authorized){ echo "变量赋值"; }else{ echo "变量没有赋值"; } 事例2:
例如:test.php内容如下:
<?phpif (isset($_SESSION['username'])){ echo "访问者:".$_SESSION['username'];}else{ echo "访问者尚未登陆";} 当访问http://localhost/test.php时,
输出:访问者尚未登陆
攻击:
在网址后面追加?_SESSION[username]=admin
即:http://localhost/test.php?_SESSION[username]=admin
输出:访问者:admin
防护:
session_start()开启session,获取session中的值,阻止通过url对session变量进行注入攻击。
代码改为<?phpsession_start ();if(isset($_SESSION['username'])){ echo "访问者:".$_SESSION['username'];}else{ echo "访问者尚未登陆";} 事例3:
当php.ini中的allow_url_fopen = On时
demo.php中的内容如下:
<?php @include "$path";if(!isset($path)){ echo "文件没有被调用";} test.php中的内容为:
<?phpecho "this is test.php。文件被调用。";
当访问网址:
http://localhost/demo.php时
输出:文件没有被调用。
攻击:
在链接后面拼接?path=test.php
即:访问http://localhost/demo.php?path=test.php
输出:this is test.php。文件被调用。
保护:
同上对path变量初始化。
注:
可以调用ini_get_all函数来显示 PHP的设定值。
例如:
<?php echo "<pre class="brush:php;toolbar:false">"; print_r(ini_get_all()); echo "";
运行结果部分如下:
可以通过
<?phpini_set ("allow_url_fopen",1); 在php文件中修改配置
What is the difference between unset() and session_destroy()?May 04, 2025 am 12:19 AMThedifferencebetweenunset()andsession_destroy()isthatunset()clearsspecificsessionvariableswhilekeepingthesessionactive,whereassession_destroy()terminatestheentiresession.1)Useunset()toremovespecificsessionvariableswithoutaffectingthesession'soveralls
What is sticky sessions (session affinity) in the context of load balancing?May 04, 2025 am 12:16 AMStickysessionsensureuserrequestsareroutedtothesameserverforsessiondataconsistency.1)SessionIdentificationassignsuserstoserversusingcookiesorURLmodifications.2)ConsistentRoutingdirectssubsequentrequeststothesameserver.3)LoadBalancingdistributesnewuser
What are the different session save handlers available in PHP?May 04, 2025 am 12:14 AMPHPoffersvarioussessionsavehandlers:1)Files:Default,simplebutmaybottleneckonhigh-trafficsites.2)Memcached:High-performance,idealforspeed-criticalapplications.3)Redis:SimilartoMemcached,withaddedpersistence.4)Databases:Offerscontrol,usefulforintegrati
What is a session in PHP, and why are they used?May 04, 2025 am 12:12 AMSession in PHP is a mechanism for saving user data on the server side to maintain state between multiple requests. Specifically, 1) the session is started by the session_start() function, and data is stored and read through the $_SESSION super global array; 2) the session data is stored in the server's temporary files by default, but can be optimized through database or memory storage; 3) the session can be used to realize user login status tracking and shopping cart management functions; 4) Pay attention to the secure transmission and performance optimization of the session to ensure the security and efficiency of the application.
Explain the lifecycle of a PHP session.May 04, 2025 am 12:04 AMPHPsessionsstartwithsession_start(),whichgeneratesauniqueIDandcreatesaserverfile;theypersistacrossrequestsandcanbemanuallyendedwithsession_destroy().1)Sessionsbeginwhensession_start()iscalled,creatingauniqueIDandserverfile.2)Theycontinueasdataisloade
What is the difference between absolute and idle session timeouts?May 03, 2025 am 12:21 AMAbsolute session timeout starts at the time of session creation, while an idle session timeout starts at the time of user's no operation. Absolute session timeout is suitable for scenarios where strict control of the session life cycle is required, such as financial applications; idle session timeout is suitable for applications that want users to keep their session active for a long time, such as social media.
What steps would you take if sessions aren't working on your server?May 03, 2025 am 12:19 AMThe server session failure can be solved through the following steps: 1. Check the server configuration to ensure that the session is set correctly. 2. Verify client cookies, confirm that the browser supports it and send it correctly. 3. Check session storage services, such as Redis, to ensure that they are running normally. 4. Review the application code to ensure the correct session logic. Through these steps, conversation problems can be effectively diagnosed and repaired and user experience can be improved.
What is the significance of the session_start() function?May 03, 2025 am 12:18 AMsession_start()iscrucialinPHPformanagingusersessions.1)Itinitiatesanewsessionifnoneexists,2)resumesanexistingsession,and3)setsasessioncookieforcontinuityacrossrequests,enablingapplicationslikeuserauthenticationandpersonalizedcontent.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Zend Studio 13.0.1
Powerful PHP integrated development environment
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
Dreamweaver CS6
Visual web development tools
Atom editor mac version download
The most popular open source editor
SublimeText3 Mac version
God-level code editing software (SublimeText3)
