Analysis of common security vulnerabilities in PHP code audit

Analysis of common security vulnerabilities in PHP code audit

Introduction:
With the widespread use of Internet applications, PHP, as a popular development language, has been widely Used to develop various web applications. However, due to the relatively flexible development method of PHP, security vulnerabilities have also increased accordingly. This article will focus on analyzing common security vulnerabilities in PHP code auditing, and provide some code examples to help developers recognize and avoid these vulnerabilities.

1. SQL Injection (SQL Injection)
SQL injection means that the attacker obtains or modifies the data in the database by injecting malicious SQL statements into the data entered by the user. The following is an example of a common vulnerability:

$username = $_POST['username'];
$password = $_POST['password'];

$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($conn, $sql);

if(mysqli_num_rows($result) > 0){
    echo "登录成功！";
}else{
    echo "用户名或密码错误！";
}

In this code, the username and password in the login form are directly spliced ​​into the SQL statement, making it vulnerable to SQL injection attacks. An attacker can change the logic of the SQL statement by entering a specific string, or even bypass login verification directly by ' OR '1'='1.

Solution:
In order to avoid SQL injection vulnerabilities, you should use prepared statements or bound parameters to construct SQL statements. Modify the code as follows:

$username = $_POST['username'];
$password = $_POST['password'];

$sql = "SELECT * FROM users WHERE username = ? AND password = ?";
$stmt = mysqli_prepare($conn, $sql);
mysqli_stmt_bind_param($stmt, "ss", $username, $password);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);

if(mysqli_num_rows($result) > 0){
    echo "登录成功！";
}else{
    echo "用户名或密码错误！";
}

2. Cross-site scripting attack (XSS)
Cross-site scripting attack means that the attacker injects malicious script code into the data entered by the user to steal user information and tamper with web pages. content, initiate malicious operations and other purposes. The following is an example of a common vulnerability:

$name = $_GET['name'];
echo "欢迎您，".$name."!";

In this example, the name entered by the user is not filtered or escaped in any way, and the attacker can inject it by constructing specific input Malicious scripts, such as <script>alert('malicious code');</script>.

Solution:
In order to avoid XSS attacks, user input data should be filtered and escaped. Modify the code as follows:

$name = $_GET['name'];
echo "欢迎您，".htmlspecialchars($name)."!";

3. File upload vulnerability
File upload vulnerability refers to a vulnerability in which an attacker can execute arbitrary code by uploading malicious files. The following is an example of a common vulnerability:

$targetDir = "uploads/";
$targetFile = $targetDir . basename($_FILES["file"]["name"]);

if(move_uploaded_file($_FILES["file"]["tmp_name"], $targetFile)){
    echo "文件上传成功！";
}else{
    echo "文件上传失败！";
}

In this code, the uploaded file type is not verified. An attacker can execute arbitrary code by uploading a php script.

Solution:
In order to avoid file upload vulnerabilities, the type and size of uploaded files should be strictly verified and the uploaded files should be stored in a directory other than the Web root directory. Modify the code as follows:

$targetDir = "uploads/";
$targetFile = $targetDir . basename($_FILES["file"]["name"]);
$uploadOk = 1;
$allowedTypes = array('jpg', 'jpeg', 'png', 'gif');
$allowedSize = 1024 * 1024; // 限制文件大小为1MB

$fileType = strtolower(pathinfo($targetFile, PATHINFO_EXTENSION));
if(!in_array($fileType, $allowedTypes)){
    $uploadOk = 0;
    echo "只允许上传jpg、jpeg、png、gif格式的文件！";
}

if($_FILES["file"]["size"] > $allowedSize){
    $uploadOk = 0;
    echo "文件大小超过了限制！";
}

if($uploadOk){
    if(move_uploaded_file($_FILES["file"]["tmp_name"], $targetFile)){
        echo "文件上传成功！";
    }else{
        echo "文件上传失败！";
    }
}

Conclusion:
PHP code auditing is an important task. By analyzing common security vulnerabilities, we can be better aware of potential problems in the code and avoid them. I hope this article will be helpful to developers in PHP code auditing.

The above is the detailed content of Analysis of common security vulnerabilities in PHP code audit. For more information, please follow other related articles on the PHP Chinese website!