Detailed explanation of security prevention knowledge in PHP-based development

Detailed explanation of security prevention knowledge in PHP-based development_PHP tutorial

WBOY

Release： 2016-07-21 15:08:54

Original

811 people have browsed it

PHP code security, XSS, SQL injection, etc. are very useful for the security of various websites, especially UGC (User Generated Content) websites, forums and e-commerce websites, which are often the hardest hit areas of XSS and SQL injection. Here is a brief introduction to some basic programming points. Compared with system security, PHP security prevention requires programmers to be more careful about various parameters entered by users.

Safety in the PHP compilation process

It is recommended to install the Suhosin patch, and the security patch must be installed
php.ini security settings

Copy the code The code is as follows:

register_global = off
magic_quotes_gpc = off
display_error = off
log_error = on
# allow_url_fopen = off
expose_php = off
open_basedir =
safe_mode = on
disable_function = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source,get_cfg_var
safe_mode_include_dir =

DB SQL preprocessing
mysql_real_escape_string (Many PHPers still rely on addslashes to prevent SQL injection, but this method is still problematic for Chinese encoding. The problem with addslashes is that hackers can use 0xbf27 to replace single quotes, and 0xbf27 is not a single quote in GBK encoding Legal characters, so addslashes just turns 0xbf5c27 into a valid multi-byte character, in which 0xbf5c will still be regarded as a single quote, see this article for details). You also need to specify the correct character set when using the mysql_real_escape_string function, otherwise there may still be problems.

prepare + execute(PDO)
ZendFramework can use quote or quoteInto of the DB class. These two methods are implemented according to various databases. They are not like mysql_real_escape_string only Can be used for mysql

Processing of user input
If you do not need to retain HTML tags, you can use the following method
strip_tags, delete all html tags in string
htmlspecialchars, only for "<","> ;",";","'" characters are escaped
htmlentities, and all html are escaped
If HTML tags must be retained, the following tools can be considered:

Copy code The code is as follows:

HTML Purifier: HTML Purifier is a standards-compliant HTML filter library written in PHP.
PHP HTML Sanitizer: Remove unsafe tags and attributes from HTML code
htmLawed: PHP code to purify & filter HTML

Upload files
Use the is_uploaded_file and move_uploaded_file functions, and use the HTTP_POST_FILES[] array. And prevent users from uploading php scripts by removing the PHP interpretation function of the upload directory.
You can consider using the File_upload module under the ZF framework
Secure processing of Session, Cookie and Form
Do not rely on cookies for core verification, important information needs to be encrypted, and the transmitted data must be processed before Form Post Hash, for example, the form element you send is as follows:

Copy code The code is as follows:

Verify the parameters after POST comes back
$str = "";
foreach($_POST['H '] as $key=>$value) {
$str .= $key.$value;
}
if($_POST['hash'] != md5($str.$secret )) {
echo "Hidden form data modified"; exit;
}

PHP security detection tool (XSS and SQL Insertion)
Wapiti - Web application security auditor(Wapiti - Compact site vulnerability detection tool) (SQL injection/XSS attack detection tool)

Installation/usage method:
apt-get install libtidy-0.99-0 python-ctypes python-utidylib
python wapiti.py http://Your Website URL/ -m GET_XSS
Pixy: XSS and SQLI Scanner for PHP (Pixy - PHP source code defect analysis tool)
Installation: apt-get install default-jdk