PHP Weak type security issues detailed summary _php tips

Objective

I believe we all know that PHP is the best language in the world, and the problem of PHP itself can be counted as one aspect of web security. The features in PHP are weakly typed, and the built-in functions loosely handle incoming parameters.

This article is mainly to record my attack and defense platform encountered in the PHP function of the problems, and the weak type of PHP problems. For everyone in the study or use PHP when there is a certain reference value, below to see together.

Introduction to PHP Weak types

Small part of the reason that PHP is very powerful because PHP provides a lot of unique features developers use, one of which is the PHP weak type mechanism.

In PHP, you can do the operation.

$param = 1;
$param = Array ();
$param = "Stringg";

Weakly typed languages have no restrictions on the data type of a variable, and you can assign a variable to any other type of variable at any time, and the variable can be converted to any other type of data.

Type conversion Issues

Type conversions are an unavoidable problem. For example, when you need to convert a GET or post parameter to an int type, or if two variables do not match, PHP automatically converts the variable. But PHP is a weak type of language, resulting in a lot of unexpected problems when converting to a type.

comparison operator

Type conversions

In $a==$b the comparison

$a =null; $b =flase; True
$a = '; $b =null;//true

There are many examples of such comparisons, which are equal.

There are also problems with type conversions when using the comparison operator, as follows:

0== ' 0 '//true
0 = ' abcdefg '//true
0 = = ' ABCDEFG '//false
1 = ' 1abcdef '//true

The problem of variable conversion occurs when different types of variables are compared, and there may be problems after the conversion.

Hash comparison

There are also problems with hash comparisons in addition to the above approach. As follows:

"0e132456789" = "0e7124511451155"//true
"0e123456abc" = "0e1dddada"//false
"0e1abc" = "0"  //true

When a comparison is performed, the string is 0e\d+ parsed as a scientific notation if the string is encountered. So the 2 numbers in the example above are all 0 and thus equal. If this pattern is not met 0e\d+ , it will not be equal. This topic in the attack and defense platform of the MD5 collision have a test.

16 in-Process conversion

There is also a problem with the comparison operation of a hexadecimal remainder string.

Examples are as follows:

"0x1e240" = "123456"//true
"0x1e240" ==123456//true "
0x1e240" = "1e240"//false

When one of the strings starts with 0x, PHP parses the string into decimal and then compares it, and 0x1240 parsing becomes decimal 123456, so it is equal to 123456 of the int type and string type. The name of the attack and defense platform is really difficult to investigate this feature.

Type conversions

A common conversion is primarily the conversion of int to string,string to int.

int turn to string:

$var = 5;
Mode 1: $item = (string) $var;
Mode 2: $item = Strval ($var);

string int: intval() function.

For this function, you can look at 2 examples first.

Var_dump (Intval (' 2 '))//2
var_dump (intval (' 3ABCD '))//3 var_dump
(intval (' ABCD '))//0

Describes the conversion, which will be intval() converted from the beginning of the string to know that a non-numeric character is encountered. Returns 0, even if there is a string that cannot be converted intval() .

intval()This feature in the attack and defense platform of the MySQL problem in the test.

At the same time, programmers should not use this code when they are programming:

if (intval ($a) >1000) {
 mysql_query ("SELECT * from News where id=". $a)
}

This time the value of $a may be 1002 union ....

The loose nature of the parameters of a built-in function

The loose nature of a built-in function says that the function is passed a parameter type that the function cannot accept. It's a bit awkward to explain, or a real example to illustrate the problem, the following will focus on several of these functions.

MD5 ()

$array 1[] = Array (
 "foo" => "Bar",
 "bar" => "foo"
);
$array 2 = Array ("foo", "Bar", "Hello", "World");
Var_dump (MD5 ($array 1) ==var_dump ($array 2)); True

The MD5 () function in the PHP manual describes the string md5 ( string $str [, bool $raw_output = false ] ) md5() need for a string type of argument. But when you pass an array, md5() there is no error, knowledge can not correctly find the MD5 value of the array, which will cause the MD5 value of any 2 array will be equal. This md5() feature in the attack and defense platform of the bypass again also have the test.

strcmp ()

strcmp()The function's description in the official PHP manual is int strcmp ( string $str1 , string $str2 ) that you need to strcmp() Pass 2 string types of arguments. If the str1 is less than str2, returns 1, the equality returns 0, otherwise it returns 1. The essence of the strcmp function comparison string is to convert two variables to ASCII, then subtract, and then determine the return value based on the result of the operation.

What if the incoming strcmp() argument is a number?

$array =[1,2,3];
Var_dump (strcmp ($array, ' 123 ')); NULL, in a sense null is the equivalent of false.

strcmp This feature in the attack and defense platform of Pass check has been tested.

Switch ()

If the switch is the judge of a number-type case, the switch converts its arguments to the int type. As follows:

$i = "2ABC";
Switch ($i) {case
0: Case
1: Case
2:
 echo "I am less than 3 but not negative";
 break;
Case 3:
 echo ' I is 3 ';
}

This time the program output is i is less than 3 but not negative because the switch() function will $i the type conversion, the conversion result is 2.

In_array ()

In the PHP manual, the in_array() function explains bool in_array ( mixed $needle , array $haystack [, bool $strict = FALSE ] ) that if the strict parameter is not provided, then In_array uses a loose comparison to determine whether it is in $needle $haystack . When the value of Strince is true, the in_array() type of Needls and the type in haystack are compared.

$array =[0,1,2, ' 3 '];
Var_dump (In_array (' abc ', $array)); True
var_dump (In_array (' 1BC ', $array));//true

You can see that the above situation returns true because ' abc ' converts to 0, ' 1BC ' to 1.

array_search()and in_array() the same problem.

Summarize

The above is for you to sum up some of the weak type of PHP security issues, I hope this article for everyone's study or work can bring some help, if you have questions you can message exchange.