PHP-based Web applications are becoming more and more secure, and the default php.ini of Magic_quotes_gpc=on increases the level of initial security. Many programs will judge the GET_MAGIC_QUOTES_GPC in advance when receiving input from the user ( Even if the switch does not open immediately addslashes () function with the escape, so it is not easy to find a PHP program similar to the previous ASP injection of such a vulnerability is more difficult.
The Cross station for PHP is actually very good to guard against, with Htmlentities () on it, but when processing XML file using this function may appear some problems, just manually convert the 5 characters on it. For example, the previous article on the XML file hidden trouble, in fact, is a CDATA part of the problem, now more popular is the Ajax hacking, probably say, look at the following code:
if ($rssid == 0 OR $rssid == 7) {
} elseif (!empty($stmt)) {
$dbinfo =& $db->getResultSet($stmt, array('pageSize'=>$pagesize));
if ($dbinfo === false) {
$msginfo = str_replace(']]>', ']]>', $lang['tpl.str0']);
$TPL_items .= <<<EOT
<item>
<title>{$msginfo}</title>
<link>{$fsetting['forumurl']}</link>
<author>{$fsetting['forumname']}</author>
<pubDate>{$datenow}</pubDate>
<description><![CDATA[{$msginfo}]]></description>
</item>
EOT;
The $msginfo is submitted by the user and is then written into the RSS for aggregation, and if the $msginfo value is <sciript>alert (' Loveshell ') </script>, the RSS aggregation is parsed and then output as is. If the]]><sciript>alert (' Loveshell ') </script>, you can cross the station and look at his filter:
if ($dbinfo === false) {
$msginfo = str_replace(']]>', ']]>', $lang['tpl.str0']);
Very well aware of this, but this sentence <title>{$msginfo}</title> It is important to understand the problem.
But there are still a lot of programmers will be negligent of the place, this is the problem of security awareness, any input to the user, in the writing process in the mind to do a thinking ahead: What type of user input? What are the user input methods? How do I handle user errors and unconventional input?
PHP's security is also embodied in safe Mode and openbase-dir. Even such vulnerabilities based on PHP's underlying vulnerability will directly affect these two very important security options. For example:
Like Error_log () Safe Mode Bypass
Look at his syntax: bool Error_log (String message [, int message_type [, String destination [, String extra_headers]])
Output error message to a file that can be written like this
<?
error_log("<? phpinfo();?>", 3, "test.php");
?>
Run in the case of Safe_mode shutdown, direct access to test.php can see the phpinfo, when the Safe_mode Open will be an error, and then write:
<?
error_log("<? phpinfo();?>", 3, "prefix://../../test.php");
?>
You can see Phpinfo is being executed again.