关于网站安全方面的问题疑惑(XSS、SQL等)
一个网站在开发的时候 就需要考虑安全问题吗?
服务器安全除外 是不是只要做好了 上传、表单危险字符串过滤就可以了? XSS SQL
回复讨论(解决方案)
xss sql注入 跨域攻击 特殊字符处理
哪有这么简单。
2. 输入验证和输出显示
2.1 命令注入
2.2 跨站脚本
2.3 文件包含
2.4 代码注入
2.5 SQL注入
2.6 XPath注入
2.7 HTTP响应拆分
2.8 文件管理
2.9 文件上传
2.10 变量覆盖
2.11 动态函数
3. 会话安全
3.1 HTTPOnly设置
3.2 domain设置
3.3 path设置
3.4 cookies持续时间
3.5 secure设置
3.6 session固定
3.7 CSRF
4. 加密
4.1 明文存储密码
4.2 密码弱加密
4.3 密码存储在攻击者能访问到的文件
5. 认证和授权
5.1 用户认证
5.2 函数或文件的未认证调用
5.3 密码硬编码
6. 随机函数
6.1 rand()
6.2 mt_srand()和mt_rand()
7. 特殊字符和多字节编码
7.1 多字节编码
8. PHP危险函数
8.1 缓冲区溢出
8.2 session_destroy()删除文件漏洞
8.3 unset()-zend_hash_del_key_or_index漏洞
9. 信息泄露
9.1 phpinfo
10. PHP环境
10.1 open_basedir设置
10.2 allow_url_fopen设置
10.3 allow_url_include设置
10.4 safe_mode_exec_dir设置
10.5 magic_quote_gpc设置
10.6 register_globals设置
10.7 safe_mode设置
10.8 session_use_trans_sid设置
10.9 display_errors设置
10.10 expose_php设置
命令注入
PHP执行系统命令可以使用以下几个函数:system、exec、passthru、“、shell_exec、popen、proc_open、pcntl_exec
我们通过在全部程序文件中搜索这些函数,确定函数的参数是否会因为外部提交而改变,检查这些参数是否有经过安全处理。
防范方法:
使用自定义函数或函数库来替代外部命令的功能
使用escapeshellarg函数来处理命令参数
使用safe_mode_exec_dir指定可执行文件的路径
跨站脚本
反射型跨站常常出现在用户提交的变量接受以后经过处理,直接输出显示给客户端;存储型跨站常常出现在用户提交的变量接受过经过处理后,存储在数据库里,然后又从数据库中读取到此信息输出到客户端。输出函数经常使用:echo、print、printf、vprintf、
对于反射型跨站,因为是立即输出显示给客户端,所以应该在当前的php页面检查变量被客户提交之后有无立即显示,在这个过程中变量是否有经过安全检查。
对于存储型跨站,检查变量在输入后入库,又输出显示的这个过程中,变量是否有经过安全检查。
防范方法:
如果输入数据只包含字母和数字,那么任何特殊字符都应当阻止
对输入的数据经行严格匹配,比如邮件格式,用户名只包含英文或者中文、下划线、连字符
对输出进行HTML编码,编码规范
( (
) )
# #
& &
" "
‘ '
` %60
文件包含
PHP可能出现文件包含的函数:include、include_once、require、require_once、show_source、highlight_file、readfile、file_get_contents、fopen、 nt>file
防范方法:
对输入数据进行精确匹配,比如根据变量的值确定语言en.php、cn.php,那么这两个文件放在同一个目录下’language/’.$_POST[‘lang’].’.php’,那么检查提交的数据是否是en或者cn是最严格的,检查是否只包含字母也不错
通过过滤参数中的/、..等字符
代码注入
PHP可能出现代码注入的函数:eval、preg_replace+/e、assert、call_user_func、call_user_func_array、create_function
查找程序中程序中使用这些函数的地方,检查提交变量是否用户可控,有无做输入验证
防范方法:
输入数据精确匹配
白名单方式过滤可执行的函数
SQL注入
SQL注入因为要操作数据库,所以一般会查找SQL语句关键字:insert、delete、update、select,查看传递的变量参数是否用户可控制,有无做过安全处理
防范方法:
使用参数化查询
更详细的看这里:http://www.sectop.com/?p=111
楼上的回答好强悍。
个人感觉,上传、表单通过字符串过滤,以及mysql转义(或者PDO接口)都可达到安全级别。
关键难难在防御服务器攻击。操作系统(不断的打补丁),apahce(潜在的漏洞),php(升级到最新版本),服务器端口(关闭某些端口号),FTP(权限和密码安全),SSH(端口号,密码)……
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What is the difference between HQL and SQL in Hibernate framework?
Apr 17, 2024 pm 02:57 PM
HQL and SQL are compared in the Hibernate framework: HQL (1. Object-oriented syntax, 2. Database-independent queries, 3. Type safety), while SQL directly operates the database (1. Database-independent standards, 2. Complex executable queries and data manipulation).
Is there any website for learning C language?
Jan 30, 2024 pm 02:38 PM
Websites for learning C language: 1. C Language Chinese Website; 2. Rookie Tutorial; 3. C Language Forum; 4. C Language Empire; 5. Script House; 6. Tianji.com; 7. Red and Black Alliance; 8, 51 Self-study network; 9. Likou; 10. C Programming. Detailed introduction: 1. C language Chinese website, which is a website dedicated to providing C language learning materials for beginners. It is rich in content, including basic grammar, pointers, arrays, functions, structures and other modules; 2. Rookie tutorials, This is a comprehensive programming learning website and more.
Usage of division operation in Oracle SQL
Mar 10, 2024 pm 03:06 PM
"Usage of Division Operation in OracleSQL" In OracleSQL, division operation is one of the common mathematical operations. During data query and processing, division operations can help us calculate the ratio between fields or derive the logical relationship between specific values. This article will introduce the usage of division operation in OracleSQL and provide specific code examples. 1. Two ways of division operations in OracleSQL In OracleSQL, division operations can be performed in two different ways.
Comparison and differences of SQL syntax between Oracle and DB2
Mar 11, 2024 pm 12:09 PM
Oracle and DB2 are two commonly used relational database management systems, each of which has its own unique SQL syntax and characteristics. This article will compare and differ between the SQL syntax of Oracle and DB2, and provide specific code examples. Database connection In Oracle, use the following statement to connect to the database: CONNECTusername/password@database. In DB2, the statement to connect to the database is as follows: CONNECTTOdataba
What does the identity attribute in SQL mean?
Feb 19, 2024 am 11:24 AM
What is Identity in SQL? Specific code examples are needed. In SQL, Identity is a special data type used to generate auto-incrementing numbers. It is often used to uniquely identify each row of data in a table. The Identity column is often used in conjunction with the primary key column to ensure that each record has a unique identifier. This article will detail how to use Identity and some practical code examples. The basic way to use Identity is to use Identit when creating a table.
Detailed explanation of the Set tag function in MyBatis dynamic SQL tags
Feb 26, 2024 pm 07:48 PM
Interpretation of MyBatis dynamic SQL tags: Detailed explanation of Set tag usage MyBatis is an excellent persistence layer framework. It provides a wealth of dynamic SQL tags and can flexibly construct database operation statements. Among them, the Set tag is used to generate the SET clause in the UPDATE statement, which is very commonly used in update operations. This article will explain in detail the usage of the Set tag in MyBatis and demonstrate its functionality through specific code examples. What is Set tag Set tag is used in MyBati
How to solve the 5120 error in SQL
Mar 06, 2024 pm 04:33 PM
Solution: 1. Check whether the logged-in user has sufficient permissions to access or operate the database, and ensure that the user has the correct permissions; 2. Check whether the account of the SQL Server service has permission to access the specified file or folder, and ensure that the account Have sufficient permissions to read and write the file or folder; 3. Check whether the specified database file has been opened or locked by other processes, try to close or release the file, and rerun the query; 4. Try as administrator Run Management Studio as etc.
How to use SQL statements for data aggregation and statistics in MySQL?
Dec 17, 2023 am 08:41 AM
How to use SQL statements for data aggregation and statistics in MySQL? Data aggregation and statistics are very important steps when performing data analysis and statistics. As a powerful relational database management system, MySQL provides a wealth of aggregation and statistical functions, which can easily perform data aggregation and statistical operations. This article will introduce the method of using SQL statements to perform data aggregation and statistics in MySQL, and provide specific code examples. 1. Use the COUNT function for counting. The COUNT function is the most commonly used
