PHP security-function

Function

As I write this book, http://www.php.cn/ lists a total of 3917 functions, including some syntax structures similar to functions. I am not going to distinguish them from functions here, but Treat it as a function.

Due to the large number of functions, it is impossible to explain their correct and safe usage one by one. Here I have selected the functions that I think require the most attention. The selection criteria include frequency of use, degree of danger (safety) during use and my own experience.

For each listed function, I provide recommended usage. I will keep safety as a priority when proposing these methods. Please adjust accordingly according to your needs during actual use.

When one function has the same risk as another, I will give the information referring to the other function instead of describing it again redundantly.

B.1. eval( )

The eval( ) function is used to A string is parsed and run as a PHP statement. For example:

<?php
 
  $name = &#39;Chris&#39;;
 
  $string = &#39;echo "Hello, $name";&#39;;
  eval($string);
 
  ?>

In the above example, $string will be used as PHP statement to run, so it is equivalent to:

<?php
 
  $name = &#39;Chris&#39;;
 
  echo "Hello, $name";
 
  ?>

Although eval( ) is very useful, but can be very dangerous when tainted data is used. For example, in the following example, if $name is tainted, an attacker can run arbitrary PHP code:

  <?php
 
  $name = $_GET[&#39;name&#39;];
  eval($name);
 
  ?>

I recommend you avoid using eval() when you are not sure whether the string being interpreted in PHP uses tainted data, and when possible. This function should be highlighted during security reviews and peer reviews.

B.2. exec( )

As mentioned in Chapter 6, executing shell commands is a very dangerous operation. Using contaminated data when constructing shell commands can lead to command injection vulnerabilities.

Try to avoid using shell command functions, but when you do need to use them, be sure to use only filtered and escaped data when constructing the shell command.

<?php
 
  $clean = array();
  $shell = array();
 
  /* Filter Input ($command, $argument) */
 
  $shell[&#39;command&#39;] =
escapeshellcmd($clean[&#39;command&#39;]);
  $shell[&#39;argument&#39;] =
escapeshellarg($clean[&#39;argument&#39;]);
 
  $last = exec("{$shell[&#39;command&#39;]}
{$shell[&#39;argument&#39;]}", $output, $return);
 
  ?>

##B.3. file( )

file( ) function is one of my favorite ways to read files. It reads each line of the file as an element of the returned array. What's particularly convenient is that you don't need to provide a file handle - you provide the file name and it does everything for you:

  <?php
 
  $contents = file(&#39;/tmp/file.txt&#39;);
  print_r($contents);
 
  ?>

If the above file has two lines, it will produce output similar to the following:

Array
  (
      [0] => This is line one.
      [1] => This is line two.
  )

## Use file ( ) function is not particularly dangerous, but when used with the allow_url_fopen option turned on, it can read many different types of resources such as the content of a remote website:

<?php
 
  $contents = file(&#39;http://example.org/&#39;);
  print_r($contents);
 
  ?>

The output is as follows (abridged):

 Array
  (
      [0] => <html>
      [1] => <head>
      [2] => <title>Example Web
Page</title>
      [3] => </head>
      [4] => <body>
      ...
      [11] => </body>
      [12] => </html>
  )

## If a filename called by the file() function is constructed from tainted data, its contents should also be considered tainted. This is because using tainted data to construct file names may lead you to open a remote website with malicious data. Once you save data in a variable, the danger increases dramatically:

 <?php
  $tainted = file($_POST[&#39;filename&#39;]);
  ?>

  $tainted数组中的每个元素与$_POST['filename']有相同的危险性——它是输入并必须要进行过滤。

  在这里，其行为有可能是意想不到的——$_POST['filename']的误用可以改变file()函数的行为，因此它可以指向一个远程资源而不是本地文件。

 

B.4. file_get_contents( )

  参见 "file( )."

 

B.5. fopen( )

  参见 "file( )."

 

B.6. include

  如第5章所述，include在组织化与模块化的软件设计中被普遍使用，是非常有必要的。但是，不正确的使用include会造成一个重大的代码注入安全漏洞。

  在include语句中只使用已过滤数据是非常有必要的。在安全审查和同行评审中，应重点检查该函数。

 

B.7. passthru( )

  见"exec( )."

 

B.8. phpinfo( )

  phpinfo( )会输出有关PHP信息的页面——运行的版本号，配置信息等等。由于phpinfo( )的输出提供了非常多的信息，我建议限制对任何使用该函数的资源的访问。

  如果你使用的第八章中的技巧来保护数据库验证信息，则需要确认访问者不能看到由phpinfo( )形成的输出信息，这是由于它会暴露超级全局数组$_SERVER的内容。

 

B.9. popen( )

  参见"exec( )."

 

B.10. preg_replace( )

  preg_replace( )用于对符合正则表达式的字符串进行替换。在某些情况下，使用被污染数据构造正则表达式部分会非常危险，因为它的e修饰符会导致在替换时把用于替换的参数作为PHP代码来对待。例如(本例为译者所加)：

 

<?php
$str = "abcdef";
$se = "len";
$reg = "/abc/e";
echo preg_replace($reg,"strlen(\$se)",$str);
?>

 

会输出如下字串：

3def

 

  当使用了e修饰符，不管是否有意为之，它会带来与eval()相同的风险。在安全审查和同行评审中，应重点检查该函数。

 

B.11. proc_open( )

  参见 "exec( )."

 

B.12. readfile( )

  参见 "file( )."

 

B.13. require

  参见 "include."

 

B.14. shell_exec( )

  参见 "exec( )."

 

B.15. system( )

  参见 "exec( )."

 以上就是PHP安全-函数的内容，更多相关内容请关注PHP中文网（www.php.cn）！