System to explain the PHP development of security knowledge

PHP code security and XSS, SQL injection and other sites for the safety of all kinds of very useful, especially UGC (User Generated Content) sites, forums and e-commerce sites, often XSS and SQL injection hardest hit. Here is a brief introduction to some of the basic programming points, relative to system security, PHP security requires more of the programmer to enter the user parameters can be more careful.

php compilation process of security

Recommended to install Suhosin patch, will install security patches

php.ini security settings

register_global = off

magic_quotes_gpc = off

display_error = off

log_error = on

# allow_url_fopen = off

expose_php = off

open_basedir =

safe_mode = on

disable_function = exec system passthru shell_exec escapeshellarg escapeshellcmd proc_close proc_open dl popen show_source get_cfg_var

safe_mode_include_dir =

DB SQL preprocessing

mysql_real_escape_string (Many PHP still rely on addslashes to prevent SQL injection, but this way of encoding Chinese is still a problem .addslashes the problem is that hackers can use 0xbf27 instead of single quotes GBK encoding 0xbf27 not a legal character, addslashes just 0xbf5c27 becomes a valid multibyte character, of which 0xbf5c will still be treated as single quotes, as detailed in this article). Mysql_real_escape_string function also need to specify the correct character set, otherwise there may still be problems.

prepare + execute (PDO)

ZendFramework DB class quote or quoteInto, these two methods are based on a variety of database implementations do not have methods, not like mysql_real_escape_string can only be used for mysql

User input processing

You can use the following methods without having to keep HTML tags

strip_tags, delete all the html tags in the string

htmlspecialchars, only "<", ">", ";", "" characters are escaped

htmlentities, escapes all html

You must consider the following tools if you must keep the HTML tags:

HTML Purifier: HTML Purifier is a standards-compliant HTML filter library written in PHP.

PHP HTML Sanitizer: Remove unsafe tags and attributes from HTML code

htmLawed: PHP code to purify & filter HTML

upload files

Use the is_uploaded_file and move_uploaded_file functions, using the HTTP_POST_FILES [] array. And by removing the upload directory PHP interpreter function to prevent users from uploading php script.

ZF framework can consider using the File_upload module

Session, Cookie and Form safe handling

Do not rely on cookies for core validation. Important information needs to be encrypted. Form Post previously hashes the transmitted data. For example, the form element you send out is as follows:

After the POST came back to verify the parameters

$ str = "";

foreach ($ _ POST ['H'] as $ key => $ value) {

$ str. = $ key. $ value;

}

if ($ _ POST ['hash']! = md5 ($ str. $ secret)) {

echo "Hidden form data modified"; exit;

}

PHP Security Detection Tool (XSS and SQL Insertion)

Wapiti - Web application security auditor (SQL injection / XSS attack checking tool)

Installation / Usage:

apt-get install libtidy-0.99-0 python-ctypes python-utidylib

python wapiti.py http: // Your Website URL / -m GET_XSS

Pixy: XSS and SQLI Scanner for PHP (Pixy - PHP source defect analysis tools)

Installation: apt-get install default-jdk