Essence of Script Security: PHP + MYSQL

I. Preface

At the code level, that is, if you consider code security at the application level (that is, you do not consider vulnerabilities in the underlying language itself), the script security issue is the issue of functions and variables. Variables directly or indirectly receive insecure user input. Due to the characteristics of php, in php, it is easier to find the chaos of such variables (many php programs are used to define, initialize, and receive variables, and $ id variables can be directly used in the program, initialization is completely completed by php settings. If you do not pay attention to it, it may lead to variable confusion and attack ).
When a variable receives insecure input, it is not properly filtered and used in different places, which may cause different dangers. If you directly access the database and display it to the user, it will lead to cross-site scripting attacks. If you use it in SQL statements, it may lead to SQL injection attacks, these attacks are irrelevant to specific scripting languages and may exist in various scripting languages. Due to the flexibility of php variables, if these harmful variables are used in some logical statements, this will cause key code skipping, such as failed authentication and skipping variable initialization, resulting in program logic confusion and other vulnerabilities. If this variable is used in dangerous functions such as include, the file inclusion vulnerability may occur, and the file Write vulnerability may occur in the fopen function, the SQL injection vulnerability occurs in the mysql_query function. eval and preg_replace may cause code execution, and the error may occur in the htmlspecia function, causing absolute path leakage ...... the environment where a variable appears determines its potential harm.
After thinking about the problem, how can we check this vulnerability at the code level? Of course, familiarity with the php language is the most basic. It should also be to grasp the functions and variables. If there is a variable in a dangerous function, please determine the source of the variable and whether it is correctly initialized, whether the user can inject sensitive characters After initialization, and whether these sensitive characters are completely cleared before entering the function. The difficulty in code review may be the determination of the variable source, which requires familiarity with php features and the code you have reviewed, however, not all sources of variables are clearly visible. Some initialization Code may not run as expected, some variables may also come from places you don't want them to come, and some variables may come from database or system configuration files, however, it is very likely that the database and configuration file have been modified before, or these variables are not operated securely in the future. These variables are also untrustworthy. Next we will consider the security of script code based on the ideas of variables and functions.

Where does the binary variable come from?

1 displayed Input

Where the variables come from, that is, where the threats come from. What kind of website is the most secure if we only consider the web? Obviously, websites that only provide static Html pages are the safest, because such websites do not interact with viewers, it is like robbing a bank that is hard to crack, it is difficult to implement, but it is different for a large forum or script program. When you log on, you need to pass the username and password variables to the server, even the Ip address you log on to and the browser are all objects captured by the program. Capture the interaction process with the server, such as posting a post, and you will find that data transmission between the browser and the server is performed, what you may see includes submitted forms, address bar parameters, and so on. What you cannot see includes cookies. The Http header is where data is submitted, that is, the variable. These locations are also the most primitive portals for servers to process data. So how does the php program accept variables? All submitted variables are saved in some arrays by php, including

$ _ GET
$ _ POST
$ _ COOKIE
$ _ FILES
$ _ SERVER

For initial convenience and flexibility, this option is available in php settings.

Register_globals

When this option is on, all the variables shown above will become a member of $ GLOBALS, which can be used directly without being obtained in the script.

Variables_order

. Many programs consider that register_globals is off, so the following code is used during program initialization:

@ Extract (daddslashes ($ _ POST ));
@ Extract (daddslashes ($ _ GET ));

These codes play the role of register_globals. They release POST and GET content as global variables, but the risks may be even greater.

2. Implicit Input

The above are the most primitive data that has not been converted by the program. The variables used in many parts of the program come from here, but it does not mean that no variables are transmitted elsewhere, the following is a data transmission mode:

User-transmitted data ==========> database ========> program code processing ======> program code

This mode means that user input may first enter the database, and then the program obtains the input from the database and sends it to some dangerous function execution, programmers generally think that the variables obtained from the database are safe, but this is not the case. As long as some sensitive characters are finally sent to the program code, no matter where he stays, it is dangerous. Similar to the situations stored in a database, some programs put user input into files, such as cache files, and then obtain them from them when necessary, if you believe in the variables from these places too much, this will still lead to problems.

3. Variable Overwrite

In many cases, the variables received by the program may come from the places where they should not come, such as the Dz code:

$ Magic_quotes_gpc = get_magic_quotes_gpc ();
@ Extract (daddslashes ($ _ POST ));
@ Extract (daddslashes ($ _ GET ));
If (! $ Magic_quotes_gpc ){
$ _ FILES = daddslashes ($ _ FILES );
}

After that, do you still think $ _ FILES is the original $ _ FILES? If we create a _ FILES form or simply add php to the url? _ FILES [] = ddddd. Then, $ _ FILES is completely overwritten, and the $ _ FILES referenced in your code is not the original one, this problem has occurred in earlier versions of Dz. This should be a problem of variable overwrite. Let's enlarge the initialized file:

$ Magic_quotes_gpc = get_magic_quotes_gpc ();
@ Extract (daddslashes ($ _ POST ));
@ Extract (daddslashes ($ _ GET ));
If (! $ Magic_quotes_gpc ){
$ _ FILES = daddslashes ($ _ FILES );
}

$ Charset = $ dbcharset =;
$ Plugins = $ hooks = array ();

Require_once DISCUZ_ROOT ../config. inc. php;
Require_once DISCUZ_ROOT ../include/db _. $ database .. class. php;

If ($ attackevasive ){
Require_once DISCUZ_ROOT ../include/security. inc. php;
}

This seems to be okay, but if certain conditions are met, problems may still occur. If register_globals is on, Let's enter the global variables not just $ _ GET and $ _ POST! $ _ COOKIE, $ _ FILES, and $ _ SERVER all generate variables in the global array. Through the above statement, we submit a php? _ SERVER [PHP_SELF] can overwrite the _ SERVER array, so the $ _ SERVER array in the entire program cannot be believed. I have also seen the code written like this:

......
Require_once ROOT_PATH.inc/database_config.php;
Require_once ROOT_PATH.inc/dv_spacemain.php;
If (PHP_VERSION <4.1.0 ){
$ _ GET = & $ HTTP_GET_VARS;
$ _ POST = & $ HTTP_POST_VARS;
$ _ COOKIE = & $ HTTP_COOKIE_VARS;
$ _ SERVER = & $ HTTP_SERVER_VARS;
$ _ ENV = & $ HTTP_ENV_VARS;
$ _ FILES = & $ HTTP_POST_FILES;
$ _ SESSION = & $ HTTP_SESSION_VARS;
}

$ Magic_quotes_gpc = get_magic_quotes_gpc ();
$ Register_globals = @ ini_get (register_globals );
If (! $ Register_globals |! $ Magic_quotes_gpc ){
@ Extract (I _addslashes ($ _ POST ));
@ Extract (I _addslashes ($ _ GET ));
@ Extract (I _addslashes ($ _ COOKIE ));
If (! $ Magic_quotes_gpc ){
$ _ FILES = I _addslashes ($ _ FILES );
}
}
......

It is also in the system initialization, but the release of the variable is in

Require_once ROOT_PATH.inc/general_funcs.php;
Require_once ROOT_PATH.inc/dv_spacemain.php;

After these key variables are initialized, can we submit one? $ Host = xxx. xxx overwrites the database address variable in the system's own database initialization file, and then you can ......

4. Variable Infection

It is easy to understand that when a variable is insecure, the related operations such as assignment are insecure, such:

$ Id = $ _ GET [id];
...........
$ Articleid = $ id;

The actual process may not be so obvious, but the results are the same. As long as a variable brings sensitive characters into a place that shouldn't be included, it will generate a threat, not just a variable, unsafe functions make all the code using this function insecure.

2. insecure

The variable is finally to be processed by code, and the code is ultimately executed by some system functions and statements. Incorrect variables appear in dangerous functions. Congratulations!

1. SQL injection vulnerability: According to our understanding, there is an insecure SQL function.