Php basic knowledge (including preventive methods)

Command injection attacks PHP can use the following five functions to execute external applications or functions system, exec, passthru, shell_exec, "(same as shell_exec) function prototype string system (string command, int & return_var) command the command to be executed return_var stores the status value string exec (string command, array & output, int & return_var) command output command to be executed obtain the status value of each line of the output string return_var after the command is executed void passthru (string command, int & return_var) the command return_var stores the status value string shell_exec (string co Mmand) command execution vulnerability Example 1: // ex1.php <? Php $ dir = $ _ GET ["dir"]; if (isset ($ dir) {echo "<pre>"; system ("ls-al". $ dir); echo "</pre>" ;}?> We submit http://www.bkjia.com /Ex1.php? Dir = | after cat/etc/passwd is submitted, the command is changed to system ("ls-al | cat/etc/passwd "); eval injection attacks the eval function uses the input string parameter as the PHP program code to execute the function prototype: mixed eval (string code_str) // eval injection usually occurs when attackers can control input strings. // ex2.php <? Php $ var = "var"; if (isset ($ _ GET ["arg"]) {$ arg = $ _ GET ["arg"]; eval ("\ $ var = $ arg;"); echo "\ $ var = ". $ var ;}?> When we submit http://www.sectop.com/ex2.php?arg=phpinfo (); The vulnerability produces dynamic functions <? Phpfunc A () {dosomething ();} func B () {dosomething ();} if (isset ($ _ GET ["func"]) {$ myfunc =$ _ GET ["func"]; echo $ myfunc () ;}?> If the programmer wants to call functions A and B dynamically, submit http://www.sectop.com/ex.php?func=phpinfo Defense against vulnerability Generation 1. Do not execute External commands as much as possible 2. Use a custom function or function library to replace external commands 3. Use the escapeshellarg function to process command parameters 4. Use safe_mode_exec_dir to specify the esacpeshellarg function in the path of the execution file will escape any characters that cause the parameter or command end, replace the single quotation mark "'" with "\", double quotation mark "" with "\", and Semicolon ";" with "\; "Use safe_mode_exec_dir to specify the path of the executable file, you can put the commands used in this path into the safe_mode = Onsafe_mode_exec_di r =/usr/local/php/bin/PHP vulnerability solution in advance (5) -SQL injection attacks // execute the mysql query statement $ query = "select * from postmessage where id =". $ _ GET ["id"]; $ result = mysql_query ($ query) Or die ("failed to execute the ySQL query statement :". mysql_error (); after the parameter id is passed in, the SQL statement combined with the preceding string is put into the database for query submission and 1 = 1, the statement is changed to select * from postmessage where id = 71 and 1 = 1. Both the values before and after the statement are true, and the query data is submitted and 1 = 2, the statement changes to select * from postmessage where id = 71 and 1 = 2. The value before the statement is true, the value after the statement is false, and the value after the statement is false. No normal SQL query is found, after the statements we constructed, an SQL injection attack is formed. Through this injection point, we can further obtain permissions, such as using union to read management passwords, read database information, or using functions such as mysql load_file and into outfile to further penetrate. Preventive Method Integer Parameters: Use the intval function to convert data to an integer. The int intval (mixed var, int base) var is the base variable to be converted to an integer. (optional) It is the base number, the default value is 10 floating-point parameters. The floatval and doubleval functions are used to convert Single-precision and double-precision floating-point parameters respectively. The int floatval (mixed var) var is the variable to be converted. int doubleval (mixed var) var is the variable type parameter to be converted: Use the addslashes function to convert the single quotation mark "'" to "\", and the double quotation mark "" to "\". the Backslash "\" is converted to "\", and the NULL character is added with the Backslash "\" function prototype string addslashes (string str) str is the string to be checked, so we can fix the code vulnerability just now. // execute the mysql query statement $ query = "select * from postmessa Ge where id = ". intval ($ _ GET ["id"]); $ result = mysql_query ($ query) or die ("failed to execute the ySQL query statement :". mysql_error (); if it is a struct type, first determine that magic_quotes_gpc cannot be On. if it is not On, use addslashes to escape special characters if (get_magic_quotes_gpc ()) {$ var = $ _ GET ["var"];} else {$ var = addslashes ($ _ GET ["var"]);} test again, vulnerability fix PHP full solution (9)-File Upload Vulnerability a set of web applications generally provide the file upload function to facilitate visitors to upload some files. The following is a simple File upload form <form action = "upload. php "method =" post "enctype =" multipart/form-data "name =" form1 "> <input type =" file "name =" file1 "/> <br/> <input type = "submit" value = "Upload File"/> <input type = "hidden" name = "MAX_FILE_SIZE" value = "1024"/> </form> php configuration File php. ini. The upload_max_filesize option specifies the file size that can be uploaded. The default value is 2 M $ _ FILES array variable. PHP uses the variable $ _ FILES to upload FILES. $ _ FILES is an array. If test.txt is uploaded, the content of the $ _ FILES array is: $ FILESArray {[file] => Array {[name] => test.txt // file name [type] => text/plain/MIME type [tmp_name] =>/tmp/ php5D. tmp // temporary file [error] => 0 // error message [size] => 536 // file size, in bytes} if the name attribute value of the Upload file button is file <input type = "file" name = "file"/>, use $ _ FILES ['file'] ['name '] to obtain the name of the uploaded file from the client, does not contain a path. Use $ _ FILES ['file'] ['tmp _ name'] to obtain the temporary file path used by the server to save the uploaded file. The folder where the uploaded file is stored will not be directly put into the website root. directory, instead, it is saved as a temporary file named $ _ FILES ['file'] ['tmp _ name']. The developer must copy the temporary file to the saved website folder. $ _ FILES ['file'] ['tmp _ name'] values are set by PHP, which is different from the original file name, developers must use $ _ FILES ['file'] ['name'] to obtain the original name of the uploaded file. Error message during file Upload $ _ FILES ['file'] ['error'] the variable is used to save the error message during file upload. Its value is as follows: if the file upload vulnerability allows a website visitor to upload images, be careful that the visitor may not upload images, but can specify a PHP program. If the directory where images are stored is an Open folder, intruders can remotely execute the uploaded PHP file to launch attacks. The following is a simple File Upload example: <? Php // set the directory of the uploaded file $ uploaddir = "D:/www/images /"; // check whether the file contains if (isset ($ _ FILES ['file1']) {// The complete path to be put in the website directory, including the file name $ uploadfile = $ uploaddir. $ _ FILES ['file1'] ['name']; // path where the server is stored, move to the actual file name move_uploaded_file ($ _ FILES ['file1'] ['tmp _ name'], $ uploadfile);}?> ...... <Form method = "post" enctype = "multipart/form-data" name = "form1"> <input type = "file" name = "file1"/> <br/> <input type = "submit" value = "Upload File"/> <input type = "hidden" name = "MAX_FILE_SIZE" value = "1024"/> </form> no Suffix of the validation file, attackers can upload arbitrary files. This is an obvious Upload Vulnerability.