Home >Backend Development >PHP Tutorial >The Essence of Script Security_PHP+MYSQL Page 1/3_PHP Tutorial
Preface to the existence of problems
If you consider code security from the code level, that is, the application level (that is, without considering the vulnerabilities of the underlying language itself), script security issues are functions and variables problem. Variables directly or indirectly receive unsafe input from users. Due to the characteristics of PHP itself, it is easier to find this kind of variable confusion in PHP (many PHP programs are used to define, initialize and receive variables, which can be used directly in the program The initialization of variables such as $id is completely completed by PHP settings. If you are not careful, it may cause confusion in the variables and lead to attacks).
After a variable receives unsafe input and is used in different places without proper filtering, it may cause different harms. If you directly enter the database and display it to the user, it will cause a cross-site scripting attack. If it is used in a sql statement, it may cause a Sql injection attack. These attacks have nothing to do with the specific scripting language. In various scripting languages All may exist. Since PHP variables are very flexible, if these harmful variables are used in some logical statements, it will cause the skipping of critical code such as authentication failure and skipping the initialization of some variables, causing confusion in the program logic and other vulnerabilities. If this variable is used in dangerous functions such as include, etc., of course there will be a file inclusion vulnerability. If it appears in the fopen function, it may cause a file writing vulnerability. If it appears in the mysql_query function, it will be a Sql injection vulnerability, eval and preg_replace. It may lead to the execution of code, appearing in the htmlspecia function may cause errors, and the environment in which the absolute path leak variable appears determines its possible harm.
After thinking about the existence of the problem, how to check this kind of vulnerability from the code level? Of course, being familiar with the PHP language is the most basic. You should also grasp functions and variables. If there are variables in dangerous functions, please determine the source of the variables, whether they are correctly initialized, and whether sensitive characters can be injected by users after initialization. Whether these sensitive characters have been completely cleared before entering the function. The difficulty in code review work may lie in determining the source of variables, which requires familiarity with PHP features and the code you are reviewing, but not all sources of variables are clearly visible, and some initialization codes may not be as clear as When you run it imaginatively, some of the things in the variables may come from places you don't want them to come from, and some variables may come from the database or system configuration files, but it is very likely that the database and configuration files have been modified before, or These variables are unsafely manipulated later and cannot be trusted. Next, we will think about the security of script code according to the ideas of variables and functions.
2 Where do variables come from?
1 Displayed input
Where does the variable come from? In fact, it means where the threat comes from. Just thinking about it from the web, what kind of website is the safest? Obviously, those websites that only provide static Html pages are the safest, because such websites do not interact with the browser in any way. It is like robbing an airtight bank. It is difficult to achieve, but for a large forum or script The program is different. When you log in, you need to pass variables such as username and password to the server. Even the IP and browser you logged in to are the objects captured by the program. The process of capturing an interaction with the server, such as posting a post, is captured by the program. Wait and you will find that the data transmission between the browser and the server may be visible to you, including the submitted form, address bar parameters, etc., but what you cannot see includes cookies, and HTTP headers are submitted data, that is, variables. place. These places are also the original entrances for the server to process data. So how does the PHP program accept variables? All submitted variables are saved in some arrays by PHP, including
$_GET
$_POST
$_COOKIE
$_FILES
$_SERVER
For initial convenience and flexibility, There is such an option in the php settings
register_globals
When this option is on, the variables that appear above will become a member of $GLOBALS and can be used directly without obtaining them in the script. , and overridden in the order of
variables_order
. Many programs consider register_globals to be off, so they use the following code when initializing the program:
@extract(daddslashes($_POST));
@extract(daddslashes($_GET));
These codes play the role of register_globals, which also releases the contents of POST and GET as global variables, but the danger may be greater, which will be mentioned later.