Questions about website security (XSS, SQL, etc.)

Does a website need to consider security issues when it is developed?

Server security is not just a good upload, form dangerous string filter it? XSS SQL

Reply to discussion (solution)

XSS SQL injection cross-domain attack special character processing

It's so simple.

2. Input validation and output display
2.1 Command Injection
2.2 Cross-site scripting
2.3 file contains
2.4 Code Injection
2.5 SQL Injection
2.6 XPath Injection
2.7 HTTP response Split
2.8 File Management
2.9 File Upload
2.10 variable Override
2.11 Dynamic Functions
3. Session security
3.1 HttpOnly settings
3.2 Domain Settings
3.3 Path Settings
3.4 Cookie Duration
3.5 Secure Settings
3.6 Session Fixed
3.7 CSRF
4. Encryption
4.1 Storing passwords in plaintext

4.2 Weak password encryption
4.3 passwords are stored in files that attackers can access
5. Certifications and authorizations
5.1 User authentication
5.2 Unauthenticated calls to functions or files
5.3 Password Hard-coded
6. Random functions
6.1 rand ()
6.2 Mt_srand () and Mt_rand ()
7. Special characters and multibyte encoding
7.1 Multi-byte encoding
8. PHP Dangerous functions
8.1 Buffer Overflow
8.2 Session_destroy () Delete file vulnerability
8.3 unset ()-zend_hash_del_key_or_index Vulnerability
9. Information Disclosure
9.1 Phpinfo
Ten. PHP Environment
10.1 Open_basedir Settings
10.2 Allow_url_fopen Settings
10.3 Allow_url_include Settings
10.4 Safe_mode_exec_dir Settings
10.5 MAGIC_QUOTE_GPC Settings
10.6 register_globals Settings
10.7 Safe_mode Settings
10.8 Session_use_trans_sid Settings
10.9 display_errors Settings
10.10 expose_php Settings

Command Injection
The following functions are available for PHP execution system commands: System, EXEC, PassThru, ", Shell_exec, Popen, Proc_open, pcntl_exec
By searching for these functions in all program files, we determine whether the parameters of the function will change due to external commits, and check if they are handled safely.
Precautionary approach:
Use a custom function or library to override the functionality of an external command
Using the Escapeshellarg function to handle command parameters
Use Safe_mode_exec_dir to specify the path to the executable file

Cross-site scripting
Reflective cross-site often occurs after the user submits the variable accepts the processing, the direct output displays to the client; the storage cross-site often occurs when a user-submitted variable is processed, stored in a database, and then read from the database to the client. Output functions are often used: echo, print, printf, vprintf, <%= $test%>
For a reflective cross-site, because the output is immediately displayed to the client, the current PHP page should check if the variable is submitted by the customer immediately after the display, in the process of whether the variable has been security check.
For a storage-type cross-site, check that the variables are stored in the input, and the output shows that the variables are checked during the security check.
Precautionary approach:
If the input data contains only letters and numbers, any special characters should block
Strictly match the input data, such as the message format, the user name contains only English or Chinese, underline, hyphen
HTML encoding of the output, encoding specification
< <
> >
( (
) )
# #
& &
" "
‘ '
'%60

file contains
PHP may appear in the file contains functions: Include, include_once, require, require_once, Show_source, Highlight_file, ReadFile, file_get_contents , fopen, Nt>file
Precautionary approach:
Exact matching of input data, such as determining language en.php and cn.php based on the value of the variable, then these two files are placed in the same directory ' language/'. $_post[' Lang '. PHP ', then check whether the submitted data is en or CN is the most stringent, check whether it contains only the letter is also good
By filtering the parameters in the/、.. Equal characters

Code Injection
PHP may have code injection functions: eval, preg_replace+/e, Assert, Call_user_func, Call_user_func_array, create_function
Find out where these functions are used in programs in your program, check that the commit variable is user-controllable, have no input validation
Precautionary approach:
Exact Match of input data
Whitelist filtering of executable functions

SQL injection
SQL injection because you want to manipulate the database, it is common to look for SQL statement keywords: INSERT, delete, update, select, see if the passed variable parameter is user-controllable, whether it has been handled safely or not.
Precautionary approach:
Using parameterized queries

See here for more details: http://www.sectop.com/?p=111

The answer on the upstairs is so tough.
Personal feelings, uploads, forms through string filtering, and MySQL escape (or PDO interface) can all achieve security levels.
The key is hard to attack in a defense server. Operating system (continuous patching), APAHCE (potential vulnerability), PHP (upgrade to latest version), server port (off certain port numbers), FTP (Permissions and password security), SSH (port number, password) ...

