As a webmaster, especially the new station webmaster, sometimes in order to modify the function of the site, add the characteristics of the site, you have to write some code. In the process, if there is a mistake, it may bring a catastrophic security crisis to the website. Even if the site was originally developed by a professional development team on the line, there is better security, but in the role of the bucket principle, you add a few lines of error code, can completely lead to the entire site security mechanism collapsed.
Now will eesafe web site Security Alliance to list some of the use of PHP architecture of the site often appear code-level security issues, I hope that the webmaster changes to the code work has some help. We have any doubt, can go to Eesafe Network Security Center Exchange, Eesafe look forward to and everyone common progress
1. The most common security issues with PHP code writing now
PHP global variable Hazard code:
Obviously, this is to determine whether the landing is the administrator, many sites also use this logic to judge other important conditions.
It looks like this code is correct, but there is a fatal error, it assumes that $isadmin is null when not assigned, but because the PHP language in order to make PHP code access to user input as easy as possible, PHP input data as a global variable to deal with. So an attacker can create arbitrary global variables and assign values.
How to avoid the problem that is easiest to be slightly, if your site is using PHP program development, if you have done so, and the Web application variables are many, the most efficient way is to modify the PHP track_vars option.
2. Website Dual condition authentication Security problem
Determine the username and password, first determine whether it is empty, and then look for data from the data database that matches the criteria.
Using such logic would directly result in SQL injection.
If you want to add or modify this feature, the program logic should be: First, find the data in the database that the user name conforms to (of course the user name must be unique in the database), and then see if the corresponding password in this data is the same as the password to be validated, thus avoiding the dual authentication problem.
3. Use user name to judge user rights
Many sites have such problems as
It doesn't seem logical, but why is there a security breach? Because many databases do not handle special characters, such as MySQL, if the character entered in the range of ASCII code 129~255, is not done, that is, if the registered user to use "admin+ Special characters ", he was also able to successfully register a user named admin, the security mechanism disappeared. Welcome to the exchange discussion.
Eesafe website Security Alliance original article
Reprint please indicate the original address in the form of link: http://www.eesafe.com/bbs/thread-1309-1-1.html
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.