HTTP attack and prevention PHP Security Configuration-php Tutorial

Source: Internet
Author: User
Tags safety mode
HTTP attack and PHP security configuration prevention

1. What is security?

The so-called security means to protect web applications and webpages from hacker attacks. Some hackers intrude into others' computers purely for fun, but more hackers are struggling to steal confidential files from others' computers, or even paralyze the entire computer to achieve his goal. There are a lot of software on the Internet that can be used by hackers. most of these software is free and easy to use. Therefore, it is not very difficult for ordinary people to attack your computer. What kind of protection do you have for your computer? If only the anti-virus software or firewall is installed, you do not understand the real meaning of security.


2 register global

From PHP4.2.0, the default value of the register_global option of php. ini is set to Off. When register_globals is set to On, your program will be able to receive various environment variables from the server, including the variables submitted by the form, and because PHP does not have to initialize the variable value in advance, this leads to great security risks. for example, the request variable of an HTML form. Because PHP does not need to initialize variable values in advance, it is easier to write insecure code. This is a tough decision, but the PHP community decided to disable this option by default. When you open a variable, people do not know where it comes from when using it. However, the close of register_globals changes the bad situation where the internal variables of this code are mixed with the variables sent by the client.


3. security mode

Safety Mode is used by PHP to restrict access to documents, restrict access to environment variables, and control the execution of external programs.

Because the website server is running in a single system user mode, the user account of this system must be able to read the documents of each user. This means that any code document executed on the website server can access each user's document. The PHP Security mode sets some restrictions on the system of multiple users to ensure the safe operation of the program. Security mode can only restrict PHP documents, but cannot restrict external applications executed by PHP. Therefore, you can place executable applications in a secure folder and do not want external users to execute them. Start the security mode of PHP and set the safe_mode option (directive) of the php. ini file to On:

Safe_mode = On


Example 1:

The content of test. php is as follows:

 

When register_globals in php. ini is Off

Visit: http: // localhost/test. php? Authorized = 1

Output result:

The variable is not assigned a value.


When register_globals in php. ini is On

Attack:

The variable is not initialized. you can assign a value to the variable through url.

The output result is

Variable assignment


Protection:

Variable initialization prevents variable assignment attacks through URLs.

You need to change the code:

     

Example 2:

For example, the content of test. php is as follows:

      

When you access http: // localhost/test. php,

Output: The visitor has not logged on.


Attack:

Append the URL? _ SESSION [username] = admin

Http: // localhost/test. php? _ SESSION [username] = admin

Output: visitor: admin


Protection:

Session_start () enables the session, obtains the value in the session, and prevents the injection of session variables through the url.

Code changed


       

Example 3:

When allow_url_fopen = On in php. ini

The content in demo. php is as follows:

        
The content in test. php is:


         

When accessing the URL:

Http: // localhost/demo. php

Output: The file is not called.


Attack:

Splicing behind the link? Path = test. php

Access http: // localhost/demo. php? Path = test. php

Output: this is test. php. File is called.


Protection:

Initialize the path variable.


Note:

You can call the ini_get_all function to display the set value of PHP.

For example:

       ";        print_r(ini_get_all());        echo "
";

The running result is as follows:



You can use

         
Modify the configuration in the PHP file

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.