Home > Article > Backend Development > Learn the essence of PHP and write efficient PHP code safely_PHP Tutorial
1. Filter input and avoid output
Sometimes we abbreviate the phrase "filter input, avoid output" to FIEO, which has become a security mantra for PHP applications.
1. Use ctype for verification
ctype: http://php.net/ctype
2. Use PCRE (Perl compatible regular expression) for verification
PCRE: http://php.net/pcre
2. Cross-site scripting
Cross-site scripting, often referred to as XSS, attack vectors target the location of a user-supplied variable in the application output, but the variable is not properly escaped. This allows an attacker to inject a client-side script of their choice as part of the value of this variable. Here is an example of code that is vulnerable to this type of attack:
<span><</span><span>form </span><span>action</span><span>="<?php echo $_SERVER['PHP_SELF'];?>"</span><span>></span> <span><</span><span>input </span><span>type</span><span>="submit"</span><span> value</span><span>="submit"</span> <span>/></span> <span></</span><span>form</span><span>></span>
Online resources:
1. http://ha.ckers.org/xss.html
2. http://shiflett.org/articles/cross-site-scripting
3. http://seancoates.com/blogs/xss-woes
3. Fake cross-site scripting
Let’s say an attacker wants to get an expensive item from a popular online store without paying for it. Instead, they want an unsuspecting victim to pay the amount. Their weapon of choice: a fake cross-site request. The goal of this type of attack is to have the victim send a request to a specific website, thereby using the identity information that the victim has registered with that website.
Online Resources:
1. http://shiflett.org/articles/cross-site-request-forgeries
2. http://shiflett.org/articles/foiling-cross-site-attacks
4. Session fixation
As shown previously, user sessions are a frequent target, and this ability to identify potential victims and target websites allows some attacks to take advantage of them. Here are 3 ways an attacker can obtain a valid session identifier. Arranged in order of difficulty, they are:
1. Fixed
2. Capture
3. Prediction
Online resources:
1. http://shiflett.org/articles/session-fixation
2. http://phpsec.org/projects/guide/4.html#4.1
3. http://www.owasp.org/index.php/Session_fixation
5. Session Hijacking
The term session hijacking is a bit confusing because we use it to describe two things:
1. Any type of attack that results in an attacker gaining access to a session on a website associated with the victim's account, regardless of how he gained access.
2. A specific type of attack that requires capturing an established session identifier rather than obtaining the session identifier through fixed techniques or prediction.
Online resources:
1. http://shiflett.org/articles/session-hijacking
2. http://shiflett.org/articles/the-truth-about-sessions
3. http://phpsec.org/projects/guide/4.html#4.2
6. SQL injection
The nature of this type of attack is related to the "filtering input and avoiding output" mentioned earlier. Basically, SQL injection is very similar to XSS, where the attack object causes the application to think that the user input means more than the data it represents. The purpose of XSS is to have those inputs executed as client-side code; while the purpose of SQL injection is to have those inputs be considered a SQL query, or part of a query.
Online Resources:
1. http://shiflett.org/articles/sql-injection
2. http://phpsec.org/projects/guide/3.html#3.2
7. Save password
In situations where web applications can effectively handle user input in database queries, attackers need to use a wider range of means to access user accounts. Typically, this also includes obtaining the victim's access credentials to access their data.
One way to achieve this is to force entry into the database server used by the web application. Depending on what database you use, how the database is configured, and other related information, attackers have many ways to break in.
Online Resources:
1. http://php.net/mcrypt
2. http://www.openwall.com/phpass/
3. http://codahale.com/how-to-safely-store-a-password/
8. Brute force attack
The technical threshold for hacking into a database or decrypting an encrypted password is too high for an attacker. In this case, the attacker might try to use a script that simulates the HTTP request of a normal user using a browser to log in to the web application. They try to log in with a given username and a random password until they find the correct password. This method is called a "brute force attack."
Online resources:
1. https://www.owasp.org/index.php/Brute_force_attack
2. http://en.wikipedia.org/wiki/Brute-force_attack
9. SSL
Online resources:
1. http://arst.ch/bgm
2. http://www.owasp.org/index.php/SSL_Best_Practices
PHP security related resources:
1. http://www.php.net/manual/en/security.php The PHP manual has chapters on various security issues
2. http://phpsecurity.org/ This is the website related to the book "Essential PHP Security"
3. http://phpsec.org/projects/guide/ One of the projects of the PHP Security Association is "PHP Security Guide"
4. http://www.enigmagroup.org/ This website provides information and practical exercises on many potential attack vectors for web applications and forums.