菜单
  

    PHP Security – The Big Picture Web Security Whether your site is the web presence for a large multinational, a gallery showing your product range and inviting potential customers to come into the shop, or a personal site exhibiting your holiday photos, web security matters. After the hard work put in to make your site look good and respond to your users, the last thing you want is for a malicious hacker to come along, perform a PHP hack and break it somehow.42706

    There are a number of problems in web security, and unfortunately not all of them have definite solutions, but here we’ll look at some of the problems that should be considered every time you set out to write a PHP script to avoid a PHP hack attack. These are the problems which, with well-designed code, can be eliminated entirely. Before looking in detail at the solutions, though, lets take a moment to define the problems themselves.

    SQL Injection

    In this attack, a user is able to execute SQL queries in your website’s database. This attack is usually performed by entering text into a form field which causes a subsequent SQL query, generated from the PHP form processing code, to execute part of the content of the form field as though it were SQL. The effects of this attack range from the harmless (simply using SELECT to pull another data set) to the devastating (DELETE, for instance). In more subtle attacks, data could be changed, or new data added.

    Directory Traversal

    This attack can occur anywhere user-supplied data (from a form field or uploaded filename, for example) is used in a filesystem operation. If a user specifies “../../../../../../etc/passwd” as form data, and your script appends that to a directory name to obtain user-specific files, this string could lead to the inclusion of the password file contents, instead of the intended file. More severe cases involve file operations such as moving and deleting, which allow an attacker to make arbitrary changes to your filesystem structure.

    Authentication Issues

    Authentication issues involve users gaining access to something they shouldn’t, but to which other users should. An example would be a user who was able to steal (or construct) a cookie allowing them to login to your site under an Administrator session, and therefore be able to change anything they liked.

    Remote Scripts (XSS)

    XSS, or Cross-Site Scripting (also sometimes referred to as CSS, but this can be confused with Cascading Style Sheets, something entirely different!) is the process of exploiting a security hole in one site to run arbitrary code on that site’s server. The code is usually included into a running PHP script from a remote location. This is a serious attack which could allow any code the attacker chooses to be run on the vulnerable server, with all of the permissions of the user hosting the script, including database and filesystem access.

    Processing User Data – Form Input Verification & HTML Display

    Validating Input And Stripping Tags

    When a user enters information into a form which is to be later processed on your site, they have the power to enter anything they want. Code which processes form input should be carefully written to ensure that the input is as requested; password fields have the required level of complexity, e-mail fields have at least some characters, an @ sign, some more characters, a period, and two or more characters at the end, zip or postal codes are of the required format, and so on.

    Each of these may be verified using regular expressions, which scan the input for certain patterns. An example for e-mail address verification is the PHP code shown below. This evaluates to true if an e-mail address was entered in the field named ’email’.

    preg_match('/^.+@.+\..{2,3}$/',$_POST['email']);

    This code just constructs a regular expression based on the format described above for an e-mail address. Note that this will return true for anything with an @ sign and a dot followed by 2 or 3 characters. That is the general format for an e-mail address, but it doesn’t mean that address necessarily exists; you’d have to send mail to it to be sure of that.

  1. 上一篇:网络课程教育英文文献和中文翻译
  2. 下一篇:工业机器人的结构优化设计英文文献和中文翻译
  1. 汽车内燃机连杆载荷和应...

  2. 机械手系统英文文献和中文翻译

  3. 固体氧化物燃料电池英文文献和中文翻译

  4. 船舶运动仿真系统英文文献和中文翻译

  5. 新能源空调系统设计英文文献和中文翻译

  6. 正交试验回归法和响应曲...

  7. 机械设计制造及其自动化英文文献和中文翻译

  8. C++最短路径算法研究和程序设计

  9. 高警觉工作人群的元情绪...

  10. 巴金《激流三部曲》高觉新的悲剧命运

  11. g-C3N4光催化剂的制备和光催化性能研究

  12. 中国传统元素在游戏角色...

  13. 现代简约美式风格在室内家装中的运用

  14. 江苏省某高中学生体质现状的调查研究

  15. NFC协议物理层的软件实现+文献综述

  16. 浅析中国古代宗法制度

  17. 上市公司股权结构对经营绩效的影响研究

  

About

优尔论文网手机版...

主页:http://www.youerw.com

关闭返回