search
HomeBackend DevelopmentPHP TutorialSummary of some methods to prevent SQL injection attacks (1/2)_PHP tutorial

Here the editor will share with you some examples and experiences of preventing SQL injection attacks summarized by webmasters. I hope this tutorial can provide some help to all students.

1. Configuration on the server side

Security, PHP code writing is one aspect, and PHP configuration is very critical.

We installed PHP manually. The default configuration file of PHP is in /usr/local/apache2/conf/php.ini. Our most important thing is to configure the content in php.ini so that we can execute PHP more safely. The security settings in the entire PHP are mainly to prevent attacks from phpshell and SQL Injection. Let’s discuss it slowly. We first use any editing tool to open /etc/local/apache2/conf/php.ini. If you install it in other ways, the configuration file may not be in this directory.

(1) Turn on the safe mode of php

php’s safe mode is a very important built-in security mechanism that can control some functions in php, such as system(),

At the same time, the permissions of many file operation functions are controlled, and certain key files, such as /etc/passwd, are not allowed.

But the default php.ini does not open safe mode, let’s open it:

safe_mode = on

(2) User group security

When safe_mode is turned on, safe_mode_gid is turned off, then the php script can access the file, and it is the same

Users in the

group can also access the file.

Recommended settings are:

safe_mode_gid = off

If we don’t set it up, we may not be able to operate the files in our server website directory. For example, we need to

When operating on files.

(3) The main directory of the execution program in safe mode

If safe mode is turned on but you want to execute certain programs, you can specify the home directory of the program to be executed:

safe_mode_exec_dir = D:/usr/bin

Generally, there is no need to execute any program, so it is recommended not to execute the system program directory. You can point to a directory,

Then copy the program that needs to be executed, such as:

safe_mode_exec_dir = D:/tmp/cmd

However, I recommend not to execute any program, then you can point to our web directory:

safe_mode_exec_dir = D:/usr/www

(4) Include files in safe mode

If you want to include certain public files in safe mode, then change the options:

safe_mode_include_dir = D:/usr/www/include/

In fact, generally the files included in php scripts have been written in the program itself. This can be set according to specific needs.

(5) Control the directories that php scripts can access

Use the open_basedir option to control the PHP script to only access the specified directory, which can prevent the PHP script from accessing

Files that should not be accessed limit the harm of phpshell to a certain extent. We can generally set it to only access the website directory:

open_basedir = D:/usr/www

(6) Turn off dangerous functions

If safe mode is turned on, function prohibition is not necessary, but we still consider it for safety. For example,

We don’t think we want to execute php functions including system() that can execute commands, or that can view php information

phpinfo() and other functions, then we can ban them:

disable_functions = system,passthru,exec,shell_exec,popen,phpinfo

If you want to prohibit any file and directory operations, you can close many file operations

disable_functions = chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,copy,mkdir, rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown

The above only lists some of the commonly used file processing functions. You can also combine the above execution command function with this function,

It can resist most phpshells.

(7) Close the leakage of PHP version information in the http header

In order to prevent hackers from obtaining the PHP version information in the server, we can turn off the information in the http header:

expose_php = Off

For example, when a hacker telnet www.12345.com 80, he will not be able to see PHP information.

(8) Close registration of global variables

Variables submitted in PHP, including those submitted using POST or GET, will be automatically registered as global variables and can be accessed directly,

This is very unsafe for the server, so we can’t let it be registered as a global variable, so we turn off the register global variable option:

register_globals = Off

Of course, if this is set, then reasonable methods must be used to obtain the corresponding variables, such as obtaining the variable var submitted by GET,

Then you need to use $_GET['var'] to get it. PHP programmers should pay attention to this.

(9) Turn on magic_quotes_gpc to prevent SQL injection

SQL injection is a very dangerous problem. In the smallest case, the website backend may be invaded, or in the worst case, the entire server may collapse.

So be careful. There is a setting in php.ini:

magic_quotes_gpc = Off

This is turned off by default. If it is turned on, it will automatically convert the SQL query submitted by the user,

For example, convert ' to ', etc., which plays a significant role in preventing sql injection. So we recommend setting it to:

magic_quotes_gpc = On

(10) Error message control

Generally, PHP will prompt an error when it is not connected to the database or under other circumstances. Generally, the error message will contain a PHP script when

The path information before

or the query SQL statement and other information are unsafe if provided to hackers, so it is generally recommended that servers disable error prompts:

display_errors = Off

If you want to display an error message, be sure to set the level of display error, for example, only display information above warning:

error_reporting = E_WARNING & E_ERROR

Of course, I still recommend turning off error prompts.

(11) Error log

It is recommended to record the error information after turning off display_errors, so as to find the reason why the server is running:

log_errors = On

At the same time, you must also set the directory where the error log is stored. It is recommended that the root apache log be stored together:

error_log = D:/usr/local/apache2/logs/php_error.log

Note: The file must be given to allow the apache user and group to have write permissions.

1 2

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/632834.htmlTechArticleHere the editor will share with you some examples and experiences of preventing SQL injection attacks summarized by webmasters. I hope this tutorial I can provide some help to my classmates. 1. Configure on the server side...
Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
SQL Server使用CROSS APPLY与OUTER APPLY实现连接查询SQL Server使用CROSS APPLY与OUTER APPLY实现连接查询Aug 26, 2022 pm 02:07 PM

本篇文章给大家带来了关于SQL的相关知识,其中主要介绍了SQL Server使用CROSS APPLY与OUTER APPLY实现连接查询的方法,文中通过示例代码介绍的非常详细,下面一起来看一下,希望对大家有帮助。

SQL Server解析/操作Json格式字段数据的方法实例SQL Server解析/操作Json格式字段数据的方法实例Aug 29, 2022 pm 12:00 PM

本篇文章给大家带来了关于SQL server的相关知识,其中主要介绍了SQL SERVER没有自带的解析json函数,需要自建一个函数(表值函数),下面介绍关于SQL Server解析/操作Json格式字段数据的相关资料,希望对大家有帮助。

聊聊优化sql中order By语句的方法聊聊优化sql中order By语句的方法Sep 27, 2022 pm 01:45 PM

如何优化sql中的orderBy语句?下面本篇文章给大家介绍一下优化sql中orderBy语句的方法,具有很好的参考价值,希望对大家有所帮助。

Monaco Editor如何实现SQL和Java代码提示?Monaco Editor如何实现SQL和Java代码提示?May 07, 2023 pm 10:13 PM

monacoeditor创建//创建和设置值if(!this.monacoEditor){this.monacoEditor=monaco.editor.create(this._node,{value:value||code,language:language,...options});this.monacoEditor.onDidChangeModelContent(e=>{constvalue=this.monacoEditor.getValue();//使value和其值保持一致i

一文搞懂SQL中的开窗函数一文搞懂SQL中的开窗函数Sep 02, 2022 pm 04:55 PM

本篇文章给大家带来了关于SQL server的相关知识,开窗函数也叫分析函数有两类,一类是聚合开窗函数,一类是排序开窗函数,下面这篇文章主要给大家介绍了关于SQL中开窗函数的相关资料,文中通过实例代码介绍的非常详细,需要的朋友可以参考下。

如何在Python中根据运行时修改业务SQL代码?如何在Python中根据运行时修改业务SQL代码?May 08, 2023 pm 02:22 PM

1.缘起最近项目在准备搞SASS化,SASS化有一个特点就是多租户,且每个租户之间的数据都要隔离,对于数据库的隔离方案常见的有数据库隔离,表隔离,字段隔离,目前我只用到表隔离和字段隔离(数据库隔离的原理也是差不多)。对于字段隔离比较简单,就是查询条件不同而已,比如像下面的SQL查询:SELECT*FROMt_demoWHEREtenant_id='xxx'ANDis_del=0但是为了严谨,需求上需要在执行SQL之前检查对应的表是否带上tenant_id的查询字段

怎么利用Spring Boot监控SQL运行情况怎么利用Spring Boot监控SQL运行情况May 11, 2023 pm 05:13 PM

1.准备工作首先我们来创建一个SpringBoot工程,引入MyBatis等,如下:选一下MyBatis和MySQL驱动,做一个简单的测试案例。先来连接一下数据库:spring.datasource.username=rootspring.datasource.password=123spring.datasource.url=jdbc:mysql:///test05?serverTimezone=Asia/Shanghai创建一个User实体类,做一个简单的查询案例,如下:publicclas

SqlServer创建自动收缩事务日志任务的图文详解SqlServer创建自动收缩事务日志任务的图文详解Sep 09, 2022 pm 01:41 PM

本篇文章给大家带来了关于SQL server的相关知识,SQL Server数据库存在一个问题,如果你限制了它的日志文件的大小,那么当数据库日志达到这个大小的时候,数据库就会停止写入日志,下面这介绍了关于SqlServer创建自动收缩事务日志任务的相关资料,希望对大家有帮助。

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

ZendStudio 13.5.1 Mac

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment

Safe Exam Browser

Safe Exam Browser

Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.

PhpStorm Mac version

PhpStorm Mac version

The latest (2018.2.1) professional PHP integrated development tool