Security Specification for PHP injection

Security precautions for PHP injection through the above process, we can understand the principles and techniques of PHP injection, of course, we can also work out the corresponding prevention methods:

The first is the security settings for the server, the security settings of the previous Windows Server we've talked about, no more repeating, this is mainly Php+mysql security settings and Linux Host Security settings. To prevent Php+mysql injection, first set the MAGIC_QUOTES_GPC to On,display_errors set to off, and if the ID type, we use the intval () function to convert it to an integer type, such as code:

$id =intval ($id);
mysql_query= "Select *from example where articieid= ' $id '", or write: mysql_query ("select * from article where articleid=.") Intval ($id). "")

If it is a character type, use Addslashes () to filter, and then filter "%" and "_" such as:

$search =addslashes ($search);
$search =str_replace ("_", "\_", $search);
$search =str_replace ("%", "\%", $search);
Of course, you can add PHP generic anti-injection code:
/*************************

PHP Universal Anti-injection security code

Description

Determines whether the passed variable contains illegal characters

such as $_post, $_get

Function:

Anti-injection

**************************/
Illegal characters to filter
$ArrFiltrate =array ("'", ";", "union");
The URL to jump after an error is not filled in the default previous page
$STRGOURL = "";
Whether the value in the array exists
function Funstringexist ($StrFiltrate, $ArrFiltrate) {
foreach ($ArrFiltrate as $key => $value) {
if (eregi ($value, $StrFiltrate)) {
return true;
}
}
return false;
}
Merging $_post and $_get
if (function_exists (Array_merge)) {
$ArrPostAndGet =array_merge ($HTTP _post_vars, $HTTP _get_vars);
}else{
foreach ($HTTP _post_vars as $key => $value) {
$ArrPostAndGet []= $value;
}
foreach ($HTTP _get_vars as $key => $value) {
$ArrPostAndGet []= $value;
}
}
Verify Start
foreach ($ArrPostAndGet as $key => $value) {
if (Funstringexist ($value, $ArrFiltrate)) {
echo "Alert (/" NEEAO hint, illegal character/");
if (empty ($STRGOURL)) {
echo "History.go (-1);";
}else{
echo "window.location=/" ". $StrGoUrl." /";";
}
Exit
}
}
?>
/*************************
Save As Checkpostandget.php
Then add include ("checkpostandget.php") in front of each PHP file;
**************************/

In addition, the Administrator username and password are taken MD5 encryption, which can effectively prevent the injection of PHP.

There are also servers and MySQL to strengthen some security precautions.

For the security settings for Linux servers:

Encrypt the password, use the "/usr/sbin/authconfig" tool to open the shadow function of the password, and encrypt the password.
Disable access to important files, enter the Linux command interface, and enter at the prompt:
#chmod 600/etc/inetd.conf//Change file property to 600
#chattr +i/etc/inetd.conf//Guarantee file owner is root
#chattr –i/etc/inetd.conf//Restrictions on the change of the document
Prohibit any user from changing to root by using the SU command
Add the following two lines to the beginning of the SU configuration file, which is the/etc/pam.d/directory:
Auth sufficient/lib/security/pam_rootok.so Debug
Auth required/lib/security/pam_whell.so Group=wheel
Delete all special accounts
Delete Users #userdel LP, and so on
Delete a group #groupdel LP, and so on
Prohibit Suid/sgid programs that are not used
#find/-type f \ (-perm-04000-o–perm-02000 \) \-execls–lg {} \;