Php application security protection technology research

Php application security protection technology research _ PHP Tutorial

Last Update:2017-05-13 Source: Internet

Author: User

Tags php write

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Php application security protection technology research. PHP Security Defense program model Copy code: * PHP anti-injection cross-site V1.0 add at the top of your page: require ("menzhi_injection.php"); to achieve general prevention of SQL injection, PHP Security Defense program model

The code is as follows:

/* PHP anti-injection cross-site V1.0
Add require ("menzhi_injection.php") at the top of your page ");
To prevent SQL injection and cross-site XSS vulnerabilities.
################## Defects and improvements ##################
There are still many defects in the program. I hope you can help improve it.
################## Reference and appreciation ##################
Neeao 'asp SQL universal anti-injection program V3.0
Some code can be found in Discuz!
*/
Error_reporting (0 );
Define ('Magic _ QUOTES_GPC ', get_magic_quotes_gpc ());
$ Menzhi_injection = "'|; | and | (|) | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | or | char | declare ";
$ Menzhi_injection = explode ("|", $ menzhi_injection );
Foreach (array ('_ get',' _ post', '_ COOKIE', '_ request') as $ _ REQUEST ){
Foreach ($ _ request as $ _ key => $ _ value ){
// $ _ Value = strtolower ($ _ value );
$ _ Key {0 }! = '_' & $ _ Key = daddslashes ($ _ value );
Foreach ($ menzhi_injection as $ kill_key => $ kill_value ){
If (substr_count ($ _ value, $ kill_value)> 0 ){
Echo "";
Unset ($ _ value );
Exit ();
}
}
// Echo"
". $ _ Value;
}
}
Function daddslashes ($ string ){
If (! MAGIC_QUOTES_GPC ){
If (is_array ($ string )){
Foreach ($ string as $ key => $ val ){
$ String [$ key] = daddslashes ($ val );
}
} Else {
$ String = addslashes ($ string );
}
}
$ String = preg_replace ('/& (# (\ d {} | x [a-fA-F0-9] {4});)/', '& \ 1 ', str_replace (array ('&', '"', '<', '>'), array ('&', '"', '<', '> '), $ string ));
Return $ string;
}
?>

Instructions for Use
Add "require (" menzhi_injection.php ");" at the top of your page to prevent SQL injection and cross-site XSS vulnerabilities. To call this program, we use require () instead of include (), because if the require () call file fails, the program will be terminated. include () does not care. In addition, when require () calls a file, the program first calls the file. Inculde () is run to this row before execution starts. Based on the function features, we select require (). You can also add or delete filter characters in the $ menzhi_injection variable as needed to achieve better defense. In addition, you can modify the code on your own, which may be an unexpected result. Normal injection can defend against attacks. The following test is only for ridicule. the test result of a Trojan is as follows:

Hey, you can call it at the top of your page. Remember "require (" menzhi_injection.php. This is just a gimmick of interest to everyone. Please test it on your own.
Defects and to be improved
Because this program is only an external call, it only processes the variables submitted by the external, and does not perform system analysis on your application, so there are many limitations, please use it with caution. For programs using GBK encoding, there is also a risk of dual-byte encoding, although this program can handle this vulnerability. However, to curb these vulnerabilities, we still need to start from the root cause. To process the database connection file, we can add character_set_client = binary. Discuz! 7.0 of database connection classes db_mysql.class.php write very well, you can refer to for reference. Of course, these are not the scope of this small program.
In addition, this program does not filter the $ _ SERVER $ _ ENV $ _ FILES system variables. For example, when the $ _ SERVER ['http _ X_FORWARDED_FOR '] system obtains an IP address, hackers can hijack and modify the original HTTP request package to change its value. this program can handle these vulnerabilities. But as a programmer, what we need is to process external variables at the root of the source, to prevent them from happening before they happen. let's plan ahead.
The program is very messy. You are welcome to test it. please contact me if you have any suggestions.
Conclusion
Finally, I wish you a successful learning and a smooth job. I would like to pay tribute to all the PHPers who have worked hard.

The authorization code is as follows:/* PHP anti-injection cross-site V1.0 add at the top of your page: require ("menzhi_injection.php"); to achieve general protection against SQL injection ,...

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More