PHP Program ape must learn the second lesson--Site security problem prevention

Ape as a PHP program. In the first lesson we learned the basic grammar. So what should we learn after we are familiar with basic grammar? I think it's a safety issue. Security is based on a site like a cornerstone, a careless, means a catastrophic accident.

The main point here is to mention three of the simplest, but also the most important security issues.

I'll make a supplement later.

1. Include

Sometimes. We may include a file based on the user's input, for example

Include $filename. ' PHP '

So suppose my $filename is a connection to an external site, for example, Http://www.hack.com/hack, will undoubtedly lead to security vulnerabilities.

So when writing such an include statement, we must first infer whether the file exists locally.

if (file_exists ($filename. ' php '))    include $filename. ' PHP '

2. XSS Injection

XSS injection. That is, cross-site script injection. Refers to the user adding similar <script> alert ("I ' m hacking") </script> this script statement in the input.

Common points that will be attacked by XSS are included

2.1$_server[' Php_self ']

Instance:

<form method= "POST" action= "<?php echo $_server[" php_self "];? > ">

Suppose the user enters the URL as

Http://www.example.com/test_form.php/%22%3E%3Cscript%3Ealert (' hacked ')%3c/script%3e

The contents of the form will then become:

<form method= "POST" action= "test_form.php"/><script>alert (' hacked ') </script>

Then you will run the JS code that is added later.

2.2 Input in form Add script statement

Suppose you add a script statement to a form that fills in the content.

If we do not do the processing, but also on the Web page with Echo Direct output will be in our web page run, so for the data submitted from the form, we also have to do some processing.

Instance:

<form method= "POST" action= "test_form.php"/><input name= "text" type= "text"/></form>

Suppose I enter <script>alert (' hacked ') in the input box </script> and assume that the contents of our input box will be displayed on the page, then the script will be run.

2.2 Processing methods

To prevent such attacks. We can use a function in PHP--htmlspecialchars (). It converts special characters to HTML entities. This means that HTML characters such as < and > are replaced with &lt; and &gt; In addition, we are able to use 1

1. (via the PHP trim () function) remove unnecessary characters from user input data (extra spaces, tabs, line breaks)
2. (via PHP stripslashes () function) remove backslash (\) from user input data

3. SQL injection

The main tactic of the attack is to include injected SQL statements into the form input.

For example, use the following login form

<form method= "POST" action= "test_form.php"/><input name= "id" type= "text"/><input name= "password" type = "Password"/></form>

Suppose I enter name in the ID box; DROP table *, and I used the "select from user where id=" in background processing. $id;

The SQL statement will then become

Select from user where Id=name;drop table *;

All the data sheets are then deleted. Therefore, it is particularly important to prevent SQL injection.

Processing method:

PHP has a special function mysql_real_escape_string ($sql); It can escape special characters in the SQL statement.

For submitting data in the input box, assuming that the database operation is involved, we need to deal with the above function.

Instance:

$user = mysql_real_escape_string ($user); $pwd = mysql_real_escape_string ($pwd); $sql = "SELECT * from Users whereuser= '". $user. "' and password= '". $pwd. "'"

4. Email injection

This is a narrower audience, just to be able to prevent your page from being sent by email.

Instance:

Assume that the user enters in the body

[Email protected]%0acc:[email protected]%0abcc:[email protected],[email protected],[email protected],[email Protected]%0abto:[email protected]

Message, the text is inserted into the header of the message when the message is sent. Messages are also sent to these users.

<?phpif (isset ($_request[' email '))//if "Email" is filled out, send email  {  //send email  $email = $_ request[' email '];   $subject = $_request[' subject ');  $message = $_request[' message '];  Mail ("[email protected]", "Subject: $subject",  $message, "from: $email");  echo "Thank you to using our mail form";  } else//if "Email" is not filled out, display the form  {  echo "<form method= ' post ' action= ' mailform.php ' >
   email: <input name= ' Email ' type= ' text '/><br/> Subject  : <input name= ' Subject ' type= ' text '/> <br/>  message:<br/>  <textarea name= ' Message ' rows= ' cols= ' > </textarea  ><br/>  <input type= ' Submit '/>  </form> ';  }? >

In order to prevent email injection, we need to deal with the message information entered by the user. Here we are able to filter the text using Filter_var.

function Spamcheck ($field)  {  //filter_var () sanitizes the e-mail   //address using Filter_sanitize_email  $field =filter_var ($field, filter_sanitize_email);    Filter_var () validates the e-mail  //address using Filter_validate_email  if (Filter_var ($field, Filter_ Validate_email))    {    return TRUE;    }  else    {    return FALSE;    }  }

Filter function:
Filter_sanitize_email remove illegal characters from a string in an e-mail message
Filter_validate_email Verifying email addresses

PHP Program ape must learn the second lesson--Site security problem prevention