php防注入及开发安全详细解析_php技巧-PHP源码-php.cn

Home

php教程

PHP源码

php防注入及开发安全详细解析_php技巧

PHP中文网

May 25, 2016 pm 05:15 PM

phpAnti-injection

以下是对php防注入及开发安全进行了详细的分析介绍，需要的朋友可以过来参考下

1、PHP注入的基本原理
程序员的水平及经验也参差不齐，相当大一部分程序员在编写代码的时候，没有对用户输入数据的合法性进行判断，使应用程序存在安全隐患。用户可以提交一段数据库查询代码，根据程序返回的结果，获得某些他想得知的数据，这就是所谓的 SQL Injection，即SQL注入。受影响的系统：对输入的参数不进行检查和过滤的系统.

SQL注入过程
正常来讲，我们通过地址接收一些必要的参数如：
页面中我们会使用 2 写入到SQL语句中
正常情况：Select * From Table where id=2

PHP100.php?id=2
如果我们对SQL语句熟悉，就知道2 我们可以替换成我们需要的SQL语句
如：and exists (select id from admin)

2、防止注入的几种办法
其实原来就是我们需要过滤一些我们常见的关键字和符合如：
Select，insert，update，delete，and，*，等等
例子:

代码如下:

function inject_check($sql_str) {
return preg_match(&#39;/select|insert|update|delete|/&#39;|///*|/*|/././/|/.//|union|into|load_file|outfile/i&#39;, $sql_str);      // 进行过滤
}

或者是通过系统函数间的过滤特殊符号
Addslashes（需要被过滤的内容）

3、PHP其他地方安全设置
register_globals = Off 设置为关闭状态
SQL语句书写时尽量不要省略小引号和单引号

代码如下:

Select * From Table Where id=2 (不规范)
Select * From ·Table· Where ·id·=&#39;2&#39; (规范)

提高数据库命名技巧，对于一些重要的字段可根据程序特点命名
对于常用方法加以封装，避免直接暴露SQL语句

正确的使用 $_POST $_GET $_SESSION 等接受参数，并加以过滤

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Best Graphic Settings

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Assassin's Creed Shadows: Seashell Riddle Solution

2 weeks agoByDDD

R.E.P.O. How to Fix Audio if You Can't Hear Anyone

4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

WWE 2K25: How To Unlock Everything In MyRise

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Safe Exam Browser

Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.

MantisBT

Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment

Hot Topics

Where is the login entrance for gmail email?

7500

CakePHP Tutorial

1377

What is the format of the account name of steam

win11 activation key permanent

nyt connections hints and answers