Three security issues that webmaster can easily ignore when modifying code

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

As a webmaster, especially the new station webmaster, sometimes in order to modify the function of the site, add the characteristics of the site, you have to write some code. In the process, if there is a mistake, it may bring a catastrophic security crisis to the website. Even if the site was originally developed by a professional development team on the line, there is better security, but in the role of the bucket principle, you add a few lines of error code, can completely lead to the entire site security mechanism collapsed.

Now will eesafe web site Security Alliance to list some of the use of PHP architecture of the site often appear code-level security issues, I hope that the webmaster changes to the code work has some help. We have any doubt, can go to Eesafe Network Security Center Exchange, Eesafe look forward to and everyone common progress

1. The most common security issues with PHP code writing now

PHP global variable Hazard code:

Obviously, this is to determine whether the landing is the administrator, many sites also use this logic to judge other important conditions.

It looks like this code is correct, but there is a fatal error, it assumes that $isadmin is null when not assigned, but because the PHP language in order to make PHP code access to user input as easy as possible, PHP input data as a global variable to deal with. So an attacker can create arbitrary global variables and assign values.

How to avoid the problem that is easiest to be slightly, if your site is using PHP program development, if you have done so, and the Web application variables are many, the most efficient way is to modify the PHP track_vars option.

2. Website Dual condition authentication Security problem

Determine the username and password, first determine whether it is empty, and then look for data from the data database that matches the criteria.

Using such logic would directly result in SQL injection.

If you want to add or modify this feature, the program logic should be: First, find the data in the database that the user name conforms to (of course the user name must be unique in the database), and then see if the corresponding password in this data is the same as the password to be validated, thus avoiding the dual authentication problem.

3. Use user name to judge user rights

Many sites have such problems as

It doesn't seem logical, but why is there a security breach? Because many databases do not handle special characters, such as MySQL, if the character entered in the range of ASCII code 129~255, is not done, that is, if the registered user to use "admin+ Special characters ", he was also able to successfully register a user named admin, the security mechanism disappeared. Welcome to the exchange discussion.

Eesafe website Security Alliance original article

Reprint please indicate the original address in the form of link: http://www.eesafe.com/bbs/thread-1309-1-1.html