PHP programming function safety_PHP tutorial

For those of us who want to do web security, it is best to use it to learn, but when we look at the root of everything, what we want is not fish but fishing. In China, various PHP programs version 1.0 and version 2.0 are popping up like mushrooms after a rain. However, everyone is paying attention to some famous cms, forums, and blog programs, and few people are paying attention to those unknown ones. For more and more PHP programmers and webmasters, in addition to relying on the fortress settings of the server, you must understand the security of the PHP program itself.
Some people say that your PHP security is nothing more than injection and cross-site. They are totally wrong. If this is the case, a magic_quotes_gpc or some security settings in the server will make us completely dead: (.I What I want to talk about today is not injection or cross-site, but some security details that exist in PHP programs. OK! Let’s get to the point.
Pay attention to the filtering of some functions
Some functions are frequently used in programs. Functions such as include(), require(), fopen(), fwrite(), readfile(), unlink(), eval() and their variant functions are very practical, and being practical does not mean that they will cost you too much. Don't worry, you have to worry more about them :)
1.include(), require() and fopen(), include_once(), require_once() can all call files remotely. Regarding their harm, If you search on Google, you will understand clearly that if the variables included in the call are not filtered, you can include any file and execute it. For example, look at print.php
…
if (empty ($bn) ) { //Check whether the variable $bn is empty
include (“$cfg_dir/site_${site}.php ”); //Include site_${site}.php in the $cfg_dir path
…
Whether the $cfg_dir directory exists or not, you can use the $site variable naturally because it The $site variable is not checked at all. You can specify the variable $site to call a remote file, or it can be a local file. Write the PHP statement in the file you specify, and then it will include and execute the file containing the PHP statement. Just like this
The listed file directory can even be expanded to include some administrator files and escalate privileges, typically like the previous vulnerabilities of phpwind and bo-blog. In addition to relying on allow_url_fopen in php.ini to be set to off to prohibit remote use of files and open_base_dir to prohibit the use of files outside the directory, you must also declare in advance which files can only be included, so I won’t go into details here.
2.fopen(), file(), readfile(), openfile(), etc. are also areas that should be paid special attention to. The functions themselves are nothing. Their function is to open files, but if the variables are not filtered thoroughly, the source code will be leaked. There are many such function text forums.
…
$articlearray=openfile(“$dbpath/$fid/$tid.php”); //Open the $tid.php file in the path $dbpath/$fid
$topic_detail=explode( "|",$articlearray[0]); //Use the delimiter | to read the content of the post
...
It looks familiar. This is the previous version of ofstar's read.php, and $fid and $tid do not have any Filtering, if $tid is specified as a file submission, the original code will be leaked. Just like this.

$tid will be suffixed with php, so write index directly. This is just an example, so let’s see.
3. If you think about the loopholes of fwrite() and its variant functions, you can imagine that if the characters submitted by the user are not filtered, it is not impossible to write a PHP backdoor.
4.unlink() function. Some time ago, this function was used to delete files arbitrarily in phpwind. There is no filtering of variables to determine whether to delete. The variables can be specified as any files, and of course the variables of any files can be deleted.
5.eval(), preg_replace() functions, their function is to execute php code. What will happen if the string is not filtered in any way? I often see it used in some cms. Think about it, one sentence Isn't the PHP Trojan in this article made based on the eval() principle?
6. Regarding system functions such as system(), you would say to disable system functions in php.ini. Yes, this is also a good idea, but if it is required in some programs, then does it not need to be used? Just like the beautiful php photo album I saw last time. In addition, you have to pay special attention to the popen(), proc_open(), and proc_close() functions. Although there is no direct output after executing the command, do you think this is useful to hackers? Here, PHP provides two functions, escapeshellarg() and escapeshellcmd(). These two functions are used to fight against system function calling attacks, that is, filtering.
As for the harm, let’s take an example. Let’s look at a forum prod.php
07 $doubleApp = isset($argv[1]); //Initialize the variable $doubleApp
…
14 if ( $doubleApp ) //if statement
15 {
16 $appDir = $argv[1]; //Initialize $appDir
17 system(“mkdir $prodDir/$appDir”); //Use The system function system is used to create the directory $prodDir/$appDir

was originally used to create the $prodDir/$appDir directory. Then it seems that the program only detects whether $argv[1] exists, and lacks the support for $argv [1] necessary filtering, then you can do this
/prod.php?argv[1]=|ls%20-la or /prod.php?argv[1]=|cat%20/etc/passwd
(The delimiter | here is a UNIX pipeline parameter, which can execute multiple commands.)
At this point, you should know a little about the common vulnerability types.

So don’t just count on the server-side settings. It’s best to pay attention to the background program. Generally speaking, it should be better to set up a site through the server. But many operations with the database are not so easy to control.

http://www.bkjia.com/PHPjc/326374.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/326374.htmlTechArticleFor those of us who want to do web security, it is best to use it to learn, but we should grasp the root of everything. What is important is not fish but fishing. In China, various php programs are version 1.0 and version 2.0 like Rain...