Web Security Knowledge

Reference article: https://www.mudoom.com/php%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81/

SQL injection

The reason for SQL injection is because the program does not filter the user input content, essentially in the execution of SQL data and statement confusion, the following example:

Universal password and Universal user name

Normal wording: SELECT * FROM table_name where username = ' admin ' and password = ' admin '

Universal Password: Use the input form to construct SQL, select * FROM table_name where username = ' admin ' and password = ' admin ' or 1 = 1, to prevent very simple, the password in Line MD5 Encryption comparison

Universal User name: SELECT * FROM table_name where username = ' admin ' or 1 = 1 and password = ' admin ', never trust any data entered by the user. Escape with Addslashes (), single quote, double quote, NULL, backslash (\).

Prevent database attacks correct: Turn off all error prompts!!!

1. When you cannot use mysqli or PDO, you can temporarily use Addslashes () escaping, provided the database is utf-8 encoded and the parameter is in the

2. Using mysqli or PDO precompilation to process SQL, the principle is that the command and parameters are sent to MySQL two times, so that MySQL can recognize parameters and commands

$username= ' Root ';$password= ' 1234ABCD ';$driver _options=Array(PDO:: Mysql_attr_init_command = ' SET NAMES UTF8 ',    );$pdo=NewPDO ($dsn,$username,$password,$driver _options);//1. Compiling a unified structure$sql= "INSERT into team values (NULL,: Team_name)";$stmt=$pdo->prepare ($sql);$data _list=Array(    Array(' name ' = ' Guoan '),Array(' name ' = ' green '),Array(' name ' = ' Evergrande '),Array(' name ' = ' Jianye '),Array(' name ' = ' Luneng '),Array(' name ' = ' Shenhua '),    );foreach($data _list  as $row) {    //2. Binding data to intermediate compilation results    $stmt->bindvalue (': Team_name ',$row[' Name ']); //3. Implementation    $result=$stmt-execute (); Var_dump($result);}

View Code

3. Write a prepared yourself (not recommended)

functionPrepare$query,$args ) {    if(Is_null($query ) )         return; //This isn't meant to be foolproof--But it'llCatchObviously incorrect usage.if(Strpos($query, '% ') = = =false) {_doing_it_wrong (' wpdb::p repare ',sprintf( __( ‘The query argument of%s must has a placeholder.'), ' wpdb::p repare () '), ' 3.9 ' ); }    $args=Func_get_args(); Array_shift($args ); //If args were passed as an array (as in vsprintf), move them up    if(isset($args[0]) &&Is_array($args[0]) )         $args=$args[0]; $query=Str_replace("'%s '", '%s ',$query ); //In case someone mistakenly already singlequoted it    $query=Str_replace(' "%s" ', '%s ',$query ); //doublequote unquoting    $query=Preg_replace(' | (? <!%) %f| ', '%f ',$query ); //Force floats to be locale unaware    $query=Preg_replace(' | (? <!%) %s| ', ' '%s ',$query ); //quote the strings, avoiding escaped strings like%%s    Array_walk($args,Array($this, ' Escape_by_ref ' ) ); return@vsprintf($query,$args );}

View Code

XSS attack

1190000005032978

Reflective XSS and Storage-type XSS

Main Purpose:

1. Stealing cookies to get sensitive information
2. Impersonate someone else, like add friends, shop, send a message ...
3. XSS on heavily visited pages can attack some small websites to achieve DDoS effects
4. ...

Defense

Firmly do not believe in any user input.

1. Use Htmlspecialchars () filtering at output
2. Output for link types (slices, hyperlinks, and so on) can also be safely filtered using htmlspecialchars, but if the variable is the entire URL, you should check whether the variable starts with HTTP or HTTPS, and if not, auto-complete to avoid XSS attacks with pseudo-protocol classes. (Example: <a href= "data:text/html;base64,phnjcmlwdd5hbgvydcgxkts8l3njcmlwdd4=" >xss</a>)
3. Rich text editor with whitelist and security filtering for potentially XSS-based tags

Csrf

https://www.ibm.com/developerworks/cn/web/1102_niugang_csrf/

An attacker forges a request, for example:

A.com has a label , the user requests a.com, a request will be generated: http://b.com?action=del&id= 1, the browser initiates a delete operation with the current user's identity (cookie information) on the B.Com

Defense:

1. Use random token validation for sensitive operations. Tokens must be random enough to be deleted immediately after verification, as far as possible post submission to prevent leakage, principle: You can save a token in the session of the server, and then in the user submitted form also with a token, the token does not exist in the cookie, The attacker could not forge this token and the attack failed. It is common practice to traverse the entire DOM tree as the page loads, adding tokens after a and form tags.

2. Verify the HTTP referer field, which records the source address of the HTTP request, but cannot ensure that it is foolproof and relies on third-party browsers.

3. Customize the properties in the HTTP header and verify

File Upload Vulnerability

Whitelist uploads, combined with MIME and suffix check file types

Save uploaded files with random filenames to avoid file name interruptions due to Terminator

Web Security Knowledge