Php file system security and prevention measures

Source: Internet
Author: User
PHP Security-file system security and prevention measures PHP complies with the security mechanisms of most server systems regarding file and directory permissions. This allows the administrator to control which files are readable in the file system. You must pay special attention to the global readable files and ensure that each user with permissions can read these files securely.

PHP is designed to access the file system at the user level, so it is entirely possible to write a piece of PHP code to read system files such as/etc/passwd, change the network connection and send a large number of print tasks. Therefore, make sure that PHP code is suitable for reading and writing files.

See the following code to delete an object in your home directory. In this case, the file system is managed through the web interface. Therefore, Apache users have the right to delete files in the user directory.

Example #1 if you do not perform a security check on variables ......

 

Since the username and filename variables can be submitted through the user form, you can submit other users' usernames and file names, or even delete files that should not be deleted by them. In this case, you must consider other authentication methods. Think about what will happen if the submitted variables are "../etc/" and "passwd. The above code is equivalent:

Example #2 ...... File system attacks

 

There are two important measures to prevent such problems.

Only PHP web users have limited permissions.

Check all submitted variables.

The following is an improved script:

Example #3 more secure file name check

 

However, this is still flawed. If the authentication system allows users to create their own login usernames, and the user chooses to use "../etc/" as the username, the system will fall again. Therefore, we need to strengthen the inspection:

Example #4 safer file name check

 

There are various files to be aware of, depending on the operating system, including the device (/dev/or COM1), configuration file (/ect/file and. INI files), common storage areas (/home/or My Documents), and so on. For this reason, it is usually easier to establish a policy to prohibit all permissions, but only explicitly allow permissions.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.