Key Points
allow_url_fopen and allow_url_include settings in the php.ini file. session_regenerate_id() function to periodically change the session ID and store the session ID in a place that only your script can access. Security is not just a series of operations, but also a way of thinking, a way of looking at problems, and a way of dealing with the world. It means “I don’t know what they’ll do, but I know they’ll try to screw up my system” and then proactively prevent the problem rather than falling into negative emotions. However, you cannot violate statistical rules. No one would read an article titled "Coding for Security". Everyone wants an article with numbers, such as: “8 most common PHP security attacks and how to avoid them”, “23 things don’t say to supermodels” and “15 reasons to avoid radiation poisoning.” Therefore, here are the "Top Ten PHP Security Vulnerabilities".
SQL injection
The top spot is SQL injection attack. In this case, someone enters SQL code snippets (classic examples are deleting database statements, although there are many other potentially destructive operations) as values into your URL or web form. Now don't worry about how he knows your table name; that's another question. You are fighting a sinister and resourceful enemy. So, what can you do to avoid this? First, you have to be skeptical of any input you receive from the user. I believe everyone is friendly? Look at your spouse’s family…they are weird, weird, and some are even dangerous. The way to prevent such problems is to use PDO preprocessing statements. I don't want to discuss PDO in detail now. Just say that the preprocessing statement separates the data from the instructions. Doing so prevents the data from being treated as anything other than the data. For more information, you can view the article "Migrating from MySQL Extension to PDO" written by Timothy Boronczyk.
Cross-site scripting attack (XSS)
Curn those black-hearted people who rely on this deception to survive. Parents, talk to the kids today so they don’t become evil XSS attackers! The essence of any XSS attack is to inject code (usually JavaScript code, but can be any client code) into the output of your PHP script. This kind of attack is possible when you display the input sent to you, for example, you might do this in a forum post. An attacker may post JavaScript code in his message that can cause unspeakable damage to your website. Please don't let me explain in detail; my heart hurts when I think of what these robbers can do. For more information and how to protect yourself, I recommend reading these excellent articles on PHPMaster:
Source code leak
This has to do with the ability to see the file names and contents that people shouldn't see when the Apache configuration fails. Yes, I understand, this is unlikely to happen, but it can happen and it is easy to protect yourself, so why not? We all know that PHP is server-side - you can't just look at the source code to see the script's code. But if Apache fails and your scripts suddenly serve in plain text, people will see source code that they shouldn't have seen. Some of this code may list accessible configuration files, or contain sensitive information, such as database credentials. The core of the solution is how you set up the directory structure of your application. That is, it is not a problem for bad people to see some code, the problem is what code they can see if sensitive files are saved in public directories. Save important files outside of publicly accessible directories to avoid the consequences of this error. For more information, including your directory structure example, see point 5 in this article. For more discussions on this topic, see this forum discussion.
Remote file contains
Please wait and let me explain: Remote file inclusion means that remote files are included in your application. Very profound, right? But why is this a problem? Because remote files are not trustworthy. It may have been maliciously modified, containing code that you don't want to run in your application. Suppose your www.myplace.com website contains the library www.goodpeople.com/script.php. One night, www.goodpeople.com was hacked and the file contents were replaced with malicious code that would destroy your application. Then someone visits your website, you introduce updated code, and then - bang! So how do you stop it? Fortunately, fixing this problem is relatively simple. You just need to go to your php.ini and check the settings of these flags.
allow_url_fopen – Indicates whether external files can be included. The default setting is "on", but you should turn it off. allow_url_include – Indicates whether the include(), require(), include_once(), and require_once() functions can reference remote files. It is turned off by default, and turning off allow_url_fopen also forces it to be turned off. Session Hijacking
Session hijacking is when a bad person steals and uses someone else's session ID, which is like the key to a secure safe deposit box. When a session is established between the client and the web server, PHP may store the session ID in a cookie named PHPSESSID on the client. Sends the ID with the page request to access the persistent session information on the server (this fills the super global variable $_SESSION array). If someone steals the session key, is that bad? The answer is: If you do not perform any important actions in that session, the answer is no. However, if you use that session to authenticate users, it will allow some mean people to log in and go into something. This is especially bad if the user is important and has a lot of permissions. So how do people steal these session IDs, and what can we, those of us who are upright and fearful of God, do? Session IDs are usually stolen through XSS attacks, so preventing XSS attacks is a good thing that can have a double benefit. It is also important to change the session ID as frequently as possible. This will shorten your stolen time window. In PHP, you can run the session_regenerate_id() function to change the session ID and notify the client. For users using PHP 5.2 and later (you are using it?), there is a php.ini setting that prevents JavaScript from accessing the session ID (session.cookie.httponly). Alternatively, you can use the session_set_cookie_parms() function. If you use shared hosting services (which store session information in a globally accessible directory, for example /tmp), then the session ID may also have vulnerabilities on the server side. You can block this problem by simply storing the session ID in a location that is only accessible to your script (on disk or in the database).
Cross-site request forgery
Cross-site Request Forgery (CSRF), also known as Brett Mafrick or Sean Spencer's strategy, involves tricking a rather uninformed user into sending out one that we should say is most unfavorable to himself ask. But instead of letting me continue to discuss CSRF attacks, refer to the outstanding example of such content on PHPMaster: Preventing Cross-site Request Forgery, written by Martin Psinas.
Catalog Traversal
This kind of attack, like many other attacks, looks for websites with poor security, and when it finds a website, it causes access to files that the owner does not intend to access publicly. It is also called ../ (point, point, slash) attack, climbing attack, and backtracking attack. There are several ways to prevent this attack. First of all, I sincerely hope it won't happen to you. Sometimes making a wish to fairies and unicorns helps. Sometimes it doesn't. The second approach is to use a whitelist to define which pages can be returned for a given request. Another option is to convert file paths to absolute paths and make sure they reference files in the allowed directory.
Summary
These are the top 10 issues that can cause your PHP application to be hacked if you accidentally avoid them. Yes, 10. Count…1,2,3…what? You only counted 8? OK, maybe 7. Well, that shows you can easily be fooled and I'm not even a bad guy! Pictures from Fotolia
Frequently Asked Questions for PHP Security Vulnerabilities (FAQ)
The most common PHP security vulnerabilities include SQL injection, cross-site scripting attacks (XSS), cross-site request forgery (CSRF), file inclusion vulnerabilities, and PHP object injection. If handled improperly, these vulnerabilities can lead to unauthorized access, data theft, and even server takeover. It is crucial for developers to understand these vulnerabilities and implement appropriate security measures to protect their PHP applications.
Preprocessing statements or parameterized queries can be used to prevent SQL injection. These methods ensure that user input is always treated as literal data, not part of SQL commands. This effectively eliminates the risk of SQL injection. Additionally, always verify and clean user input to ensure it does not contain malicious code.
Cross-site scripting attack (XSS) is a vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users. This can lead to session hijacking, identity theft and other serious problems. To prevent XSS, always encode user input and never insert untrusted data into HTML output.
AntiCSRF token can be used to prevent CSRF attacks. These are the only random values associated with the user session. They are included in each state change request (such as form submission) and are checked by the server. If the token is missing or incorrect, the request will be denied.
File inclusion vulnerability refers to the situation where an application uses user input to build a file path for operations. An attacker can manipulate input to contain files from a remote server, resulting in code execution, data leakage, or denial of service. To mitigate this vulnerability, avoid using user input in file paths, or thoroughly verify and clean the input.
PHP object injection is a vulnerability, which occurs when user input is used to instantiate a class. An attacker can manipulate input to create an instance of any class and execute its methods. To prevent this, never unserialize data from untrusted sources.
PHP sessions can be protected by using secure cookies, regenerating session IDs after logging in, and implementing session timeouts. In addition, the session data is stored on the server side and only the session ID is used to reference it.
Some best practices for PHP security include: keeping PHP version up-to-date, setting up with security configurations, verifying and cleaning user input, using secure password hashing algorithms, and implementing correct error handling.
PHP vulnerabilities can be detected through code review, penetration testing and using automated security tools. Regularly reviewing applications for security vulnerabilities is a critical part of maintaining secure PHP applications.
There are many resources to learn about PHP security, including PHP manuals, online tutorials, security blogs and forums. In addition, organizations such as OWASP provide a comprehensive guide on web application security.
The above is the detailed content of PHP Master | Top 10 PHP Security Vulnerabilities. For more information, please follow other related articles on the PHP Chinese website!
How oracle rounds
What does ICO mean?
How to close port 135 445
How to solve the problem that the msxml6.dll file is missing
How to solve no route to host
How to solve the problem when the computer CPU temperature is too high
Detailed explanation of Linux fork function
Commonly used database software
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
