Simple php code auditing [take dvwa as an example]

Security of a website involves many aspects. Code security is an important factor. Code audit is used to improve code security. So let's talk about code audit, this time we use dvwa.
DVWA (Damn Vulnerable Web Application) DVWAIt is a set of WEB vulnerability testing programs written in PHP + Mysql for teaching and detecting general WEB vulnerabilities. Includes SQL injection, XSS, blind injection, and other common security vulnerabilities.
The following is a simple example of code Auditing Based on the three levels of SQL Injection code in dvwa.
First, compare the php code at the low, medium, and high levels:
Low:





Medium:






High:




The red box contains the differences between the three types of code. It is found that there is one more sentence from low to medium, and one more sentence from medium to high.
The SQL injection of dvwa contains an input box. Input 1 in three levels and the results are the same. The browser address bar is changed:
Http: // localhost/dvwa/vulnerabilities/sqli /? Id = 1 & Submit = Submit #
The following figure is displayed in the input box:






· When you enter 1' at the low level, the browser address bar is changed:
 
Http: // localhost/dvwa/vulnerabilities/sqli /? Id = 1' & Submit = Submit #
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
· Enter 1' at medium level and find that the address bar is the same as the low level. An error is prompted:
 
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\ ''at line 1
· At the high Level, enter 1 '. The Address Bar remains unchanged. No errors or normal query results are displayed.
 
 
Normally, when the user enters 1 in the input box and queries the user with id = 1 from the database, the query statement is
SELECT first_name, last_name FROM users WHERE user_id = '$ id'
You will get the user information with id = 1.
However, an error occurs at the low and medium levels after a single quotation mark is added at the end of 1. Check the picture above:
· Input is not processed at the low level, and user input is directly put into the query statement for query;
 
· Added the mysql_real_escape_string () function at the medium level. This function is a special character in the character string used in the escape SQL statement, just like adding \ before single quotation marks in the error prompt \;
 
· In the high level, another function stripslashes () is added before the escape function. This function removes the backslash added by the addslashes () function. Because in the high level, the magic_quotes_gpc of php is on, automatically run the addslashes () function for all GET, POST, and COOKIE data. So use the stripslashes () function.
 
Under the three levels of SQL injection, the situation is obvious, and it is now in-depth.
Low: http: // localhost/dvwa/vulnerabilities/sqli /? Id = 1 order by 2 + -- + & Submit = Submit #

Http: // localhost/dvwa/vulnerabilities/sqli /? Id = 1 'order by 2 + -- + & Submit = Submit #

Http: // localhost/dvwa/vulnerabilities/sqli /? Id = 1' union select 1, 2 + -- + & Submit = Submit #

Http: // localhost/dvwa/vulnerabilities/sqli /? Id = 1 'Union select 1, concat_ws (char (32, 58, 32), user (), database (), version () + -- + & Submit = Submit #

In this way, the current user, database, and php versions are exploding. Concat_ws is a function in mysql.
In medium, special characters are automatically escaped by backslash, which breaks the query statement. An error is prompted on the page. In high mode, the id will only display the correct information normally, the rest will not contain any information.
In addition, there are two differences in the high level, which determine whether the input is a number and include its value in single quotes to ensure that invalid characters do not work.


 
Php code of the high level has reached a fairly high level of security, but it cannot be said to be the most secure, because there may still be vulnerabilities. Code audit is to check the defects and error information in the source code, analyze and find the security vulnerabilities caused by these problems, and provide code revision measures and suggestions. This allows you to find and eliminate problems in the system development and O & M phases.