菜单
  

    PHP Security – The Big Picture Web Security Whether your site is the web presence for a large multinational, a gallery showing your product range and inviting potential customers to come into the shop, or a personal site exhibiting your holiday photos, web security matters. After the hard work put in to make your site look good and respond to your users, the last thing you want is for a malicious hacker to come along, perform a PHP hack and break it somehow.42706

    There are a number of problems in web security, and unfortunately not all of them have definite solutions, but here we’ll look at some of the problems that should be considered every time you set out to write a PHP script to avoid a PHP hack attack. These are the problems which, with well-designed code, can be eliminated entirely. Before looking in detail at the solutions, though, lets take a moment to define the problems themselves.

    SQL Injection

    In this attack, a user is able to execute SQL queries in your website’s database. This attack is usually performed by entering text into a form field which causes a subsequent SQL query, generated from the PHP form processing code, to execute part of the content of the form field as though it were SQL. The effects of this attack range from the harmless (simply using SELECT to pull another data set) to the devastating (DELETE, for instance). In more subtle attacks, data could be changed, or new data added.

    Directory Traversal

    This attack can occur anywhere user-supplied data (from a form field or uploaded filename, for example) is used in a filesystem operation. If a user specifies “../../../../../../etc/passwd” as form data, and your script appends that to a directory name to obtain user-specific files, this string could lead to the inclusion of the password file contents, instead of the intended file. More severe cases involve file operations such as moving and deleting, which allow an attacker to make arbitrary changes to your filesystem structure.

    Authentication Issues

    Authentication issues involve users gaining access to something they shouldn’t, but to which other users should. An example would be a user who was able to steal (or construct) a cookie allowing them to login to your site under an Administrator session, and therefore be able to change anything they liked.

    Remote Scripts (XSS)

    XSS, or Cross-Site Scripting (also sometimes referred to as CSS, but this can be confused with Cascading Style Sheets, something entirely different!) is the process of exploiting a security hole in one site to run arbitrary code on that site’s server. The code is usually included into a running PHP script from a remote location. This is a serious attack which could allow any code the attacker chooses to be run on the vulnerable server, with all of the permissions of the user hosting the script, including database and filesystem access.

    Processing User Data – Form Input Verification & HTML Display

    Validating Input And Stripping Tags

    When a user enters information into a form which is to be later processed on your site, they have the power to enter anything they want. Code which processes form input should be carefully written to ensure that the input is as requested; password fields have the required level of complexity, e-mail fields have at least some characters, an @ sign, some more characters, a period, and two or more characters at the end, zip or postal codes are of the required format, and so on.

    Each of these may be verified using regular expressions, which scan the input for certain patterns. An example for e-mail address verification is the PHP code shown below. This evaluates to true if an e-mail address was entered in the field named ’email’.

    preg_match('/^.+@.+\..{2,3}$/',$_POST['email']);

    This code just constructs a regular expression based on the format described above for an e-mail address. Note that this will return true for anything with an @ sign and a dot followed by 2 or 3 characters. That is the general format for an e-mail address, but it doesn’t mean that address necessarily exists; you’d have to send mail to it to be sure of that.

  1. 上一篇:网络课程教育英文文献和中文翻译
  2. 下一篇:工业机器人的结构优化设计英文文献和中文翻译
  1. 汽车乘员舱的声振耦合英文文献和中文翻译

  2. 立体光照成型的注塑模具...

  3. 数控机床英文文献和中文翻译

  4. 工业机械手英文文献和中文翻译

  5. 低频振动的铁路车轴的状...

  6. 接头的形状对沥青塞接头...

  7. 数控加工技术英文文献和中文翻译

  8. 乳业同业并购式全产业链...

  9. 电站锅炉暖风器设计任务书

  10. 酸性水汽提装置总汽提塔设计+CAD图纸

  11. java+mysql车辆管理系统的设计+源代码

  12. 中考体育项目与体育教学合理结合的研究

  13. 十二层带中心支撑钢结构...

  14. 当代大学生慈善意识研究+文献综述

  15. 河岸冲刷和泥沙淤积的监测国内外研究现状

  16. 大众媒体对公共政策制定的影响

  17. 杂拟谷盗体内共生菌沃尔...

  

About

751论文网手机版...

主页:http://www.751com.cn

关闭返回