never trust external data or input
The first thing you must realize about WEB application security is that you should not trust external data. External data (outside) includes any data that is not directly entered by the programmer in the PHP code. Any data from any other source (such as GET variables, form POST, database, configuration files, session variables, or cookies) is untrusted until measures are taken to ensure security.
For example, the following data elements can be considered safe because they are set in PHP.
Listing 1. Safe and Flawless code
The following is the referenced content:
$myUsername = Tmyer;
$arrayUsers = Array (Tmyer, Tom, Tommy);
Define ("greeting", hello there. $myUsername);
?>
However, the following data elements are defective.
Listing 2. Unsafe, flawed code
The following is the referenced content:
$myUsername = $_post[username]; tainted!
$arrayUsers = Array ($myUsername, Tom, Tommy); tainted!
Define ("greeting", hello there. $myUsername); tainted!
?>
Why is the first variable $myUsername flawed? Because it comes directly from a form POST. Users can enter any string in this input field, including malicious commands to purge files or run previously uploaded files. You might ask, "Can't you avoid this danger by using a client (JAVASCRĪPT) Form verification script that only accepts the letter A-Z?" Yes, it's always a good step, but as you'll see later, anyone can download any form onto their machine, modify it, and resubmit whatever they want.
The solution is simple: You must run cleanup code on $_post[username]. If you do not, you may contaminate these objects at any other time you use the $myUsername, such as in arrays or constants.
A simple way to clean up user input is to use a regular expression to handle it. In this example, you only want to accept letters. It may also be a good idea to limit a string to a specific number of characters, or to require all letters to be lowercase.
Listing 3. Make user input Secure
The following is the referenced content:
$myUsername = CleanInput ($_post[username]); clean!
$arrayUsers = Array ($myUsername, Tom, Tommy); clean!
Define ("greeting", hello there. $myUsername); clean!
function CleanInput ($input) {$clean = Strtolower ($input);
$clean = Preg_replace ("/[^a-z]/", "", $clean);
$clean = substr ($clean, 0,12); return $clean;
}
http://www.bkjia.com/PHPjc/486151.html www.bkjia.com true http://www.bkjia.com/PHPjc/486151.html techarticle never trust external data or enter information about WEB application security, the first thing you must realize is that you should not trust external data. External data (outside) includes not by program ...