About PHP vulnerabilities and how to prevent PHP vulnerabilities?

Vulnerabilities include XSS, SQL injection, command execution, upload vulnerabilities, local inclusion, remote inclusion, Permission Bypass, information leakage, Cookie forgery, and csrf (cross-site request. These vulnerabilities are not only for PHP, but also for how PHP effectively prevents them.

1. XSS + SQL injection (detailed introduction to XSS attacks)

XSS and SQL Injection occupy the largest part of the data. For framework types or public files, we recommend that you filter XSS and SQL Injection in public files. Use PHP to write a filter function, as shown in the following code:

$ _ Request = filter_xss ($ _ request );

$ _ Get = filter_xss ($ _ Get );

$ _ Post = filter_xss ($ _ post );

$ _ Cookie = filter_xss ($ _ cookie );

$ _ Post = filter_ SQL ($ _ post );

$ _ Get = filter_ SQL ($ _ Get );

$ _ Cookie = filter_ SQL ($ _ cookie );

$ _ Request = filter_ SQL ($ _ request );

The simplest filter_xss function is htmlspecialchars ()

The simplest filter_ SQL function is mysql_real_escape_string ()

Of course, everyone knows that this type of filtering filter_ SQL (to prevent SQL Injection in detail) can only filter injection in character type and search type. There is no way for digital type, but it also indicates that after this layer of filtering, you only need to pay attention to the numeric SQL statements.Apply intval FilterThis is much easier.

2. Command Execution

For command execution, you can start with keywords, which can be divided into three categories

(1) PHP code execution: eval

(2) Shell Command Execution: exec, passthru, system, shell_exec, etc.

(3) File Processing: fwrite, fopen, mkdir, etc.

Pay attention to whether the parameters of these types are controllable.

3. Upload Vulnerability

The upload vulnerability is also a key concern. We need to carefully analyze its handling process. There are many ways to bypass the upload, and the safest way is: the file name is randomly named and the suffix is whitelist. The second thing to note is that there may be more than one file to be uploaded. You may encounter such a situation where a third-party editor is included in a directory.

File Inclusion vulnerabilities include (), include_once (), require (), require_once (), file_get_contents (), etc.

The most common function is to download files, such as download. php? File =..././etc/passwd.

4. Permission Bypass

There are two types of Permission Bypass:

(1) Unauthorized access to background files. If the background file does not contain session verification, this issue may occur.

(2) No user isolation, such as mail. php? Id = 23 shows your mail, so change the ID, mail. php? Id = 24 to view others' emails. It is convenient to write code. All the emails are stored in a data table with uniform IDs. You only need to retrieve them by ID when displaying the front-end, however, user isolation is not performed to determine the ownership, which may lead to unauthorized access.

This is a common example. This vulnerability is often discovered when a bank is evaluated.

5. Information Leakage

Information Leakage is a low-risk vulnerability. For example, the column directory is a deployment issue, but it has nothing to do with code auditing. Such vulnerabilities need to be prevented, such as brute-force paths and brute-force source code. I have encountered such code

<? PHP if (empty ($ _ Get ['a']) {…} ?>

On the surface, there seems to be no problem, but when the request changes to XX. php? When a [] = 1, that is, when the parameter is changed to an array, an error will occur, causing the path to leak. If you use isset, the error will not occur. Of course, it is too troublesome to guard against each other, we recommend that you disable the error prompt in the configuration file, or add the following code to the public file to disable the error display function:

<? PHP error_reporting (0);?>

In the past, PHP point-to-point (phpddt.com) published an article about the PHP vulnerability prevention policy, which describes the dangers of register_globals and how to use magic quotes.