Home Backend Development PHP Tutorial php website security issues

php website security issues

Jul 29, 2016 am 09:00 AM
http php runtime session sql

1. Common PHP website security vulnerabilities
Regarding PHP vulnerabilities, there are currently five common vulnerabilities. They are Session file vulnerabilities, SQL injection vulnerabilities, script command execution vulnerabilities, global variable vulnerabilities and file vulnerabilities. Here is a brief introduction to each of these vulnerabilities.
1. Session file vulnerability
Session attack is one of the most commonly used attack methods by hackers. When a user visits a certain website, in order to prevent the customer from entering their account number and password every time they enter a page, PHP sets Session and Cookie to facilitate the user's use and access.
2. SQL injection vulnerability
During website development, programmers lack comprehensive judgment on user input data or do not filter it strictly, causing the server to execute some malicious information, such as user information query, etc. Hackers can obtain corresponding information based on the results returned by malicious programs. This is the SQL injection vulnerability of Yuexingwei.
3. Script Execution Vulnerability
The common cause of script execution vulnerabilities is that programmers do not filter the URL parameters submitted by users when developing websites. The URLs submitted by users may contain malicious code, leading to cross-site scripting attacks. . Script execution vulnerabilities often existed in previous PHP websites, but with the upgrade of PHP versions, these problems have been reduced or no longer exist.
4. Global variable vulnerability
Variables in PHP do not need to be declared in advance like other development languages ​​when used. Variables in PHP can be used directly without declaration. The system automatically creates them when used, and also There is no need to specify the variable type, the system will automatically determine the variable type based on the context. This method can greatly reduce the probability of programmers making errors in programming and is very convenient to use.
5. File vulnerabilities
File vulnerabilities are usually caused by the lack of adequate filtering of externally provided data by website developers when designing websites, causing hackers to exploit the vulnerabilities to execute corresponding commands on the Web process. If lsm.php contains such a piece of code: include ($b."/aaa.php".), for hackers, remote attacks can be achieved through the variable $b, which can be the hacker's own code. accomplish Attacks on websites. You can submit a.php include=http://lZ7.0.0.1/b.php to the server, and then execute the instructions of b.php.
2. Preventive measures for common PHP vulnerabilities
1. Prevention of Session vulnerabilities

From the previous analysis, we can know that the most common Session attack is session hijacking, that is, hackers obtain the user's Session through various attack methods ID, and then use the identity of the attacked user to log in to the corresponding website. For this purpose, the following methods can be used here: Methods to prevent: First, change the Session ID regularly. Changing the Session ID can be achieved by using PHP's own function; second, change the Session name. Usually the default name of the Session is PHPSESSID. This variable is generally saved in a cookie. If Changing its name can block some attacks by hackers; the third is to close the transparent Session ID. The so-called transparency means that when the http request does not use cookies to formulate the Session ID, the Sessioin ID uses a link to Passing. Turning off the transparent Session ID can be achieved by operating the PHP.ini file; the fourth is to pass the hidden parameters through the URL, which can ensure that even if the hacker obtains the session data, due to the related The related parameters are hidden and it is also difficult to get the Session ID variable value.
2. Prevention of SQL injection vulnerabilities
Hackers have many ways to inject SQL, and they are flexible and changeable, but what SQL injection has in common is the use of input filtering vulnerabilities. Therefore, in order to fundamentally prevent SQL injection, the fundamental solution is to strengthen the filtering of request commands, especially query request commands. Specifically, it includes the following points: First, the filtering statements are parameterized, that is, the input of user information is realized through parameterized statements. Rather than embedding user input directly into statements. The second is to use interpretive programs as little as possible when developing the website. Hackers often use this method to execute illegal commands; the third is to avoid bugs in the website as much as possible when developing the website, otherwise hackers may use this information to attack the website; just It is not enough to defend against SQL injection. In addition, professional vulnerability scanning tools must be frequently used to scan the website for vulnerabilities.
3. Prevention of script execution vulnerabilities
The means by which hackers use script execution vulnerabilities to attack are diverse and flexible. For this, a combination of multiple prevention methods must be used. This can effectively prevent hackers from attacking script execution vulnerabilities. There are four commonly used methods here. One is to pre-set the path of the executable file. This can be achieved through safe_moade_exec_dir; the second is the command parameters For processing, the escapeshellarg function is generally used; the third is to use the system's own function library to replace external commands; the fourth is to reduce the use of external commands during operation.
4. Prevent global variable vulnerabilities
Regarding the vulnerability of PHP global variables, previous PHP versions had such problems, but after the PHP version is upgraded to 5.5, it can be achieved by setting php.ini , set ruquest_order to GPC. In addition, in the php.ini configuration file, you can Set whether to backslash overflow characters in external quoted data by setting a Boolean value to magic_quotes_runtime. In order to ensure that the website program can run in any setting state of the server. You can use get_magic_quotes_runtime to detect the setting status at the beginning of the entire program to decide whether to handle it manually, or use set_magic_quotes_runtime(0) to turn it off at the beginning (or when automatic escaping is not needed).
5. Prevention of file vulnerabilities
For PHP file leaks, you can achieve the purpose of prevention by setting and configuring the server. The specific operations here are as follows: First, turn off the error prompts in the PHP code. This can prevent hackers from obtaining database information and the physical path of web page files through error prompts. path; the second is to carefully set up open_basedir, that is, to prohibit file operations outside the directory; this can protect local files or remote files and prevent them from being attacked. Here we also need to pay attention to preventing Session files and uploaded files. attack; the third is to set safe-made to the open state to standardize the commands to be executed. By prohibiting file uploads, the security factor of the PHP website can be effectively improved. Please indicate the source when reprinting: Common security vulnerabilities in PHP websites and a summary of corresponding preventive measures
http://www.php1.cn/Content/PHP_WangZhanChangJianAnQuanLouDongJiXiangYingFangFanCuoShiZongJie.html

The above has introduced the security issues of PHP websites, including aspects of it. I hope it will be helpful to friends who are interested in PHP tutorials.

Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

CakePHP Project Configuration CakePHP Project Configuration Sep 10, 2024 pm 05:25 PM

In this chapter, we will understand the Environment Variables, General Configuration, Database Configuration and Email Configuration in CakePHP.

PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian Dec 24, 2024 pm 04:42 PM

PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati

CakePHP Date and Time CakePHP Date and Time Sep 10, 2024 pm 05:27 PM

To work with date and time in cakephp4, we are going to make use of the available FrozenTime class.

CakePHP File upload CakePHP File upload Sep 10, 2024 pm 05:27 PM

To work on file upload we are going to use the form helper. Here, is an example for file upload.

CakePHP Routing CakePHP Routing Sep 10, 2024 pm 05:25 PM

In this chapter, we are going to learn the following topics related to routing ?

Discuss CakePHP Discuss CakePHP Sep 10, 2024 pm 05:28 PM

CakePHP is an open-source framework for PHP. It is intended to make developing, deploying and maintaining applications much easier. CakePHP is based on a MVC-like architecture that is both powerful and easy to grasp. Models, Views, and Controllers gu

How To Set Up Visual Studio Code (VS Code) for PHP Development How To Set Up Visual Studio Code (VS Code) for PHP Development Dec 20, 2024 am 11:31 AM

Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c

CakePHP Creating Validators CakePHP Creating Validators Sep 10, 2024 pm 05:26 PM

Validator can be created by adding the following two lines in the controller.

See all articles