Home  >  Article  >  php教程  >  php xfocus anti-injection information

php xfocus anti-injection information

黄舟
黄舟Original
2016-12-14 11:49:501092browse

There is no deep technical content here, I just talked about it briefly. (If there are no specific instructions, the following operations are all based on PHP+MySQL+Apache) When various hackers are rampant now, how to realize the security of your own PHP code and ensure the security of the program and server is a very important issue. I will After looking at the information about PHP security, there is not a lot, at least much less than ASP, haha, so I wanted to write something to prevent these possible situations. There is no deep technical content here, I just talked about it briefly. (If there is no specific explanation, the following operations are all based on the situation of PHP+MySQL+Apache)
Let’s talk about security issues first. The above article is an article about PHP security in the security focus. It basically introduces some aspects about PHP in a comprehensive way. Security Question.

When coding in PHP, if you consider some basic security issues, first of all:
1. Initialize your variables

Why do you say this? Let's look at the following code:
if ($admin)
{
echo 'Login successful! ';
include('admin.php');
}
else
{
echo 'You are not an administrator and cannot manage! ';
}

Okay, we see that the above code seems to be running normally and there is no problem. Then let me submit an illegal parameter to it. What will be the effect? Think about it, are we directly the administrators and manage them directly?
Of course, maybe we won’t make such a simple mistake, and some very secret errors may also cause this problem. For example, there is a vulnerability in the phpwind 1.3.6 forum that was recently exposed, which allows the administrator to directly obtain administrator rights. Because there is a $skin variable that is not initialized, it leads to a series of problems later.

So how do we avoid the above problems? First, start with php.ini and set register_global = off in php.ini. This means that not all registered variables are global, so this can be avoided. However, we are not server administrators and can only improve the code. So how do we improve the above code? We rewrite it as follows:
$admin = 0; // Initialize variables
if ($_POST['admin_user'] && $_POST['admin_pass'])
{
// Determine whether the submitted administrator username and password are correct Corresponding processing code
// ...
$admin = 1;
}
else
{
$admin = 0;
}

if ($admin)
{
echo 'Login successful! ';
include('admin.php');
}
else
{
echo 'You are not an administrator and cannot manage! ';
}

Because we initialized the variable to $admin = 0 at the beginning, then you cannot obtain administrator privileges through this vulnerability.


2. Prevent SQL Injection (sql injection)

SQL injection should be the most harmful program at present, including the earliest from asp to php, which are basically popular technologies in China in the past two years. The basic principle is to submit The unfiltered variables form an injection point and then allow malicious users to submit some SQL query statements, resulting in important data being stolen, data lost or damaged, or being invaded into the backend management.
So now that we understand the basic methods of injection invasion, how can we prevent it? We should start with the code.

We know that there are two ways to submit data on the Web, one is get and the other is post, so many common sql injections start from the get method, and the injection statements must contain some sql statements, because If there is no sql statement, how to proceed? There are four major sql statements:
select, update, delete, and insert. So if we filter the data we submit, can we avoid these problems?
So we use regular expressions to construct the following function:

/*
Function name: inject_check()
Function function: Detect whether the submitted value contains SQL injection characters, prevent injection, and protect server security
Parameters: $sql_str: Submit Variable
Return value: Return the detection result, true or false
Function author: heiyeluren
*/
function inject_check($sql_str)
{
return eregi('select|insert|update|delete|'|/*|*| ../|./|union|into|load_file|outfile', $sql_str); // Filter
}

In our function, select, insert, update, delete, union, into, load_file, outfile /*, ./, ../, ' and other dangerous parameter strings are all filtered out, then you can control the submitted parameters. The program can be constructed like this:

if (inject_check($_GET['id']))
{
exit('The data you submitted is illegal, please check and resubmit!');
}
else
{
$id = $_GET['id '];
echo 'The submitted data is legal, please continue! ';
}
?>
Ours is in compliance with the above rules, but it does not meet the requirements, so for possible other situations, we build a function to check:

/*
Function name: verify_id()
Function function: Verify whether the submitted ID class value is legal
Parameters: $id: Submitted ID value
Return value: Return the processed ID
Function author: heiyeluren
*/
function verify_id( $id=null)
{
if (!$id) { exit('No parameters submitted!'); } // Determine whether it is empty
elseif (inject_check($id)) { exit('The parameters submitted are illegal! '); } // Injection judgment
elseif (!is_numeric($id)) { exit('The submitted parameter is illegal!'); } // Numeric judgment
$id = intval($id); // Integerization

return $id;
}

Haha, then we can perform verification, so our program code above becomes the following:

if (inject_check($_GET['id']))
{
exit('The data you submitted is illegal, please check and resubmit!');
}
else
{
$id = verify_id($_GET['id']); // Our filter function is quoted here , filter $id
echo 'The submitted data is legal, please continue! ';
}
?>

Okay, the problem seems to be solved here, but have we considered the data submitted by post and the large batch of data?
For example, some characters may cause harm to the database, such as '_', '%'. These characters have special meanings, so what if we control them? Another point is that when magic_quotes_gpc = off in our php.ini, the submitted data that does not comply with the database rules will not automatically be preceded by ' '. Then we need to control these problems, so we build it as follows Function:

/*
Function name: str_check()
Function function: filter the submitted string
Parameters: $var: the string to be processed
Return value: return the filtered string
Function author: heiyeluren
*/
function str_check( $str )
{
if (!get_magic_quotes_gpc()) // Determine whether magic_quotes_gpc is turned on
{
$str = addslashes($str); // Filter
}
$str = str_replace( "_", "_", $str); // Filter out '_'
$str = str_replace("%", "%", $str); // Filter out ' % '

return $ str;
}

OK, we once again avoided the danger of the server being compromised.

Finally, consider submitting some large batches of data, such as posting, or writing articles or news. We need some functions to help us filter and convert. Based on the above functions, we build the following functions:

/*
Function name: post_check()
Function function: Process the submitted editing content
Parameters: $post: The content to be submitted
Return value: $post: Return the filtered content
Function author: heiyeluren
*/
function post_check($post)
{
if (!get_magic_quotes_gpc()) // Determine whether magic_quotes_gpc is open
{
$post = addslashes($post); // Filter the submitted data if magic_quotes_gpc is not open
}
$post = str_replace("_", "_", $post); // Filter out '_'
$post = str_replace("%", "%", $post); // Filter out ' % 'Filter out
$post = nl2br($post); // Enter conversion
$post= htmlspecialchars($post); // HTML tag conversion

return $post;
}

Haha, basically here, we I have talked about some situations. In fact, I feel that I have said very little. At least I have only talked about two aspects, and there is very little content in the whole security. I will consider talking about more next time, including PHP security configuration. , apache security, etc., let our security be as a whole and be the safest.

Finally, let me tell you what is expressed above: 1. Initialize your variables 2. Be sure to remember to filter your variables

Thank you for reading. If you want to get more related content, please pay attention to the PHP Chinese website (www.php. cn)!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn