Common attacks on php are:
##SQL injection
SQL injection is a malicious attack in which users enter SQL statements into form fields to affect normal SQL execution. There is also one injected through the system() or exec() command, which has the same SQL injection mechanism, but only targets shell commands. (Recommended learning:
PHP video tutorial)
XSS attack
XSS (cross-site scripting attack) is an attack, caused by The user enters some data into your website, which includes client-side script (usually JavaScript). If you output data to another web page without filtering, this script will be executed. Receive user-submitted text content
Session fixation
Session security, assuming a PHPSESSID is difficult to guess. However, PHP can accept a session ID via a cookie or URL. Therefore, spoofing a victim can use a specific (or other) session ID or phishing attack.
Session Capture and Hijacking
This is the same idea as session pinning, however, it involves stealing the session ID. If the session ID is stored in a cookie, it can be stolen by an attacker via XSS and JavaScript. If the session ID is included in the URL, it can also be obtained through sniffing or from the proxy server.
Prevent session capture and hijacking:
*Update ID
*If using sessions, make sure the user is using SSL
Cross-site request forgery (CSRF)
A CSRF attack is when a page makes a request that looks like a trusted user of the website, but is not intentional.
Code Injection
Code injection is caused by exploiting computer vulnerabilities by processing invalid data. The problem comes when you accidentally execute arbitrary code, usually via file inclusion. Poorly written code can allow a remote file to be included and executed.
The above is the detailed content of Several common attacks in php. For more information, please follow other related articles on the PHP Chinese website!