Prevention of Php injection on Linux servers

Through the above process, we can understand the principles and techniques of Php injection. Of course, we can also work out the appropriate defense methods:
The first step is to set the server security. Here, we mainly set the security of php + mysql and the security of linux Hosts. To prevent injection of php + mysql, set magic_quotes_gpc to On and display_errors to Off. If the id type is set, we use the intval () function to convert it to an integer type, such as code:
$ Id = intval ($ id );
Mysql_query = "select * from example where articieid = '$ id'"; or write: mysql_query ("SELECT * FROM article WHERE articleid = ". intval ($ id ). "")

If it is a replica type, use addslashes () to filter it, And then filter "%" and "_", such:
$ Search = addslashes ($ search );
$ Search = str_replace ("_", "\ _", $ search );
$ Search = str_replace ("%", "\ %", $ search );
Of course, you can also add php universal anti-injection code:

// Invalid characters to be filtered
$ ArrFiltrate = array ("'", ";", "union ");
// The url to be redirected after an error occurs. If this parameter is left blank, the previous page is displayed by default.
$ StrGoUrl = "";
// Whether the value in the array exists
Function FunStringExist ($ StrFiltrate, $ ArrFiltrate ){
Foreach ($ ArrFiltrate as $ key => $ value ){
If (eregi ($ value, $ StrFiltrate )){
Return true;
}
}
Return false;
}
// Merge $ _ POST and $ _ GET
If (function_exists (array_merge )){
$ ArrPostAndGet = array_merge ($ HTTP_POST_VARS, $ HTTP_GET_VARS );
} Else {
Foreach ($ HTTP_POST_VARS as $ key => $ value ){
$ ArrPostAndGet [] = $ value;
}
Foreach ($ HTTP_GET_VARS as $ key => $ value ){
$ ArrPostAndGet [] = $ value;
}
}
// Verification starts
Foreach ($ ArrPostAndGet as $ key => $ value ){
If (FunStringExist ($ value, $ ArrFiltrate )){
Echo "alert (/" Neeao prompt, invalid character /");";
If (empty ($ StrGoUrl )){
Echo "history. go (-1 );";
} Else {
Echo "window. location =/" ". $ StrGoUrl ."/";";
}
Exit;
}
}
?>

In addition, the administrator username and password are encrypted using md5, which effectively prevents php injection.

There are also servers and mysql to enhance security.

For linux Server Security Settings:

Use the "/usr/sbin/authconfig" tool to enable the password shadow function and encrypt the password.

1 2 3 Next Page