InAt the beginning of the guide, we said that data filtering is the cornerstone of Web application security in any language, on any platform. This includes checking the data entered into the app and outputting the data from the app, and a good software design can help developers:
Ensure that PHP data filtering cannot be bypassed, that illegal information is not affected by legitimate information, and that the source of the data is identified.
There are a variety of viewpoints on how to ensure that data filtering cannot be bypassed, and two of them are more generic and provide a higher level of protection than others.
PHP Data Filtering scheduling method
This method is dispatched with a single PHP script (via URL). Any other action is included when necessary by using include or require. This approach typically requires that each URL be passed a separate get variable for dispatch. This get variable can be thought of as a more streamlined design for replacing script names. For example:
Http://example.org/dispatch.php?task=print_formdispatch.php is the only root file (document root). It allows developers to do two things that are very important:
At the beginning of dispatch.php, some global security processing is implemented, and it is ensured that these processes cannot be bypassed. It is easy to make sure that data is filtered where necessary, especially for special purpose control flow operations. Take a look at the following example to further discuss the dispatch.php script:
- < PHP
- /* Global security handling */
- switch ($_get[' task ') {case
' Print_form ': include '/inc/
Presentation/form.inc ';
- break;
- case ' Process_form ': $ form_valid = /span>false ;
- include '/inc/logic/process.inc ';
- if ($form _valid) {include '/inc/
Presentation/end.inc ';} Else{include
'/inc/presentation/form.inc ';}
Break;default:include '/inc/presentation
/index.inc ';
- break;
- }
- ?>
If this is the only publicly accessible PHP script, you can be sure that the program is designed to ensure that the initial global security processing cannot be bypassed. It also makes it easy for developers to see the flow of control for specific tasks. For example, it is easy to know that you do not need to browse the entire code: When $form_valid is true, End.inc is the only one that is displayed to the user, because it is initialized to False before Process.inc is included, it can be determined that the internal logic of PROCESS.INC will set it to true, otherwise the form will be displayed again (possibly with related error messages).
PHP Data filtering issues to be aware of
If you use directory-directed files, such as index.php (instead of dispatch.php), you can use URL addresses like this: Http://example.org/?task=print_form.
You can also use Apacheforcetype redirection or mod_rewrite to adjust the URL address: Http://example.org/app/print-form.
How to include PHP data filtering
Another way is to use a single module, which is responsible for all the security processing. This module is included in the front (or very top) of all public PHP scripts. Refer to the following script Security.inc
- < ? php
- Switch ($_post[' form ')
- {case ' login ':
- $ allowed = array ();
- $allowed [] = ' form ';
- $allowed [] = ' username ';
- $allowed [] = ' password ';
- $ sent = Array_keys ($_post);
- if ($ allowed = = $sent)
li> {include '/inc/logic/
Process.inc ';}
- break;
- }
- ?>
In this PHP data filter example, each submitted form considers that it should contain the unique validation value of form, and security.inc independently processes 0 of the data that needs to be filtered in the form. The HTML form that implements this requirement is as follows:
- < form. action="/receive.php"
Method = "POST" >
- < input type="hidden"
name = "Form" value="Login" />
- < p>Username:
- < input type="text" name="username" />
- < / P >
- < p>Password:<input
type = "Password" name="password" />
- < / P >
- < input type="Submit" />
- < /form >
An array called $allowed is used to verify which form variables are allowed, and this list should be consistent before the form is processed. Process Control determines what to do, and Process.inc is where the real filtered data arrives.
Attention
A good way to make sure that Security.inc is always included in the first place of each script is to use the Auto_prepend_file setting.
Examples of PHP data filtering
Creating a whitelist is very important for PHP data filtering. Because it is not possible to give an example of each of the form data that you might encounter, some examples can help you get a general idea of this.
The following code validates the e-mail address:
- < ? PHP
- $ Clean Array();
- $ Email_pattern '
/^[^@s<&>]+@ ([-a-z0-9]+.)
+[a-z]{2,}$/i ';
- if (Preg_match ($email _
pattern, $_post[' email '))
- {$clean [' email '] = $_post
[' Email '];}
- ?>
The following PHP Data filter code ensures that the content of $_post[' color ' is Red,green, or blue:
- < ? PHP
- $ Clean Array();
- Switch ($_post[' color ')
$_post[' Color '];
- Break
- }
- ?>
The following PHP Data filter code ensures that $_post[' num ' is an integer:
- < ? PHP
- $ Clean Array();
Strval (Intval ($_
post[' num '])) {$clean
[' num '] = $_post[' num '];
- }
- ?>
The following PHP Data filter code ensures that $_post[' num ' is a floating-point number (float):
- < ? PHP
- $ Clean Array();
Strval (Floatval ($_post
= $_post[' num '];
- }
- ?>
PHP Data filtering for name conversion
Each of the previous examples used array $clean. This is a good habit for developers to judge whether data is potentially a threat. Never save it in $_post or $_get after validating the data, as developers should always be fully skeptical of the data stored in the Super Global array.
What needs to be added is that the use of $clean can help to think about what else is not being filtered, which is more like a whitelist role. The level of security can be increased.
If you only save the validated data in $clean, the only risk to data validation is that the array element you are referencing does not exist, not the unfiltered hazard data.
The timing of PHP data filtering
Once the PHP script starts executing, it means that the HTTP request is all over. At this point, the user has no chance to send data to the script. Therefore, no data can be entered into the script (even if the register_globals is turned on). That's why initializing variables is a very good habit.
http://www.bkjia.com/PHPjc/446197.html www.bkjia.com true http://www.bkjia.com/PHPjc/446197.html techarticle at the beginning of the guide, we said that data filtering is the cornerstone of Web application security in any language, on any platform. This includes checking the data entered into the app and outputting the data from the app ...