1.xss + sql injection (detailed introduction to xss attacks)
The majority of them are naturally XSS and SQL injection. For framework types or public files, it is recommended to do XSS and SQL in the public file. Injection filtering. Write a filter function in PHP as follows:
$_REQUEST = filter_xss($_REQUEST);
$_GET = filter_xss($_GET);
$_POST = filter_xss($_POST);
$_COOKIE = filter_xss($_COOKIE);
$_POST = filter_sql($_POST);
$_GET = filter_sql($_GET);
$_COOKIE = filter_sql($_COOKIE);
$_REQUEST = filter_sql($_REQUEST);
The simplest filter_xss function is htmlspecialchars()
The simplest filter_sql function is mysql_real_escape_string()
Of course, everyone knows that this filter_sql (detailed prevention of sql injection) can only filter character and search type injections. There is no solution for numeric types, but it also shows that after this layer of filtering, you only need to pay attention to the numeric SQL statements later. If you encounter it, just add intval filtering, which becomes much easier.
2. Command execution
For command execution, you can start with keywords, which can be divided into 3 categories in total
(1) PHP code execution: eval, etc.
(2) Shell command execution: exec, passthru, system, shell_exec, etc.
(3) File processing: fwrite, fopen, mkdir, etc.
For these categories, it is necessary to pay attention to whether the parameters are user-controllable.
3. Upload vulnerability
The upload vulnerability is also a key point of focus. Its processing flow must be carefully analyzed. There are many ways to bypass the upload. The safest way is to use a random file name when saving the file. and suffix whitelist mode. The second thing to note is that there may be more than one place to upload files. Don't miss anything. You may encounter a situation where a third-party editor is suddenly included in a certain directory.
The functions involved in file inclusion vulnerabilities such as include(), include_once(), require(), require_once(), file_get_contents(), etc.
The most common ones are the download file function functions, such as download.php?file=. ./../../etc/passwd in this type.
4. Permission bypass
Permission bypass can be divided into two categories
(1) Unauthorized access to background files. The background file does not contain session verification, so this problem is prone to occur
(2) User isolation is not implemented. For example, mail.php?id=23 displays your mail, then change the ID, mail.php?id= I saw other people's letters at 24. It is convenient to write code. The letters are stored in a data table, and the IDs are uniformly numbered. When displayed on the front end, you only need to click on the ID to retrieve them. However, user isolation and ownership are not determined, which can easily lead to unauthorized access. .
Examples like this are very common. This kind of vulnerability is often discovered when doing evaluations for a certain bank.
5. Information leakage
Information leakage is considered a relatively low-risk vulnerability. For example, directory listing is a deployment issue and has nothing to do with code auditing. However, path exposure and source code exposure need to be prevented. I once encountered code like this
On the surface it seems to be fine, but when the request changes to xx.php?a[ ]=1, that is, when the parameter becomes an array, an error will occur and the path will be leaked, but it will not be judged by isset. Of course, it is too troublesome to prevent each one. It is recommended to turn off the error prompt in the configuration file, or in the public file Add the following code to turn off the error display function:
There was an article on PHP Diandiantong (phpddt.com) before: About PHP vulnerability prevention strategies, which introduced the harm of register_globals and instructions for using Magic Quotes.
The above introduces the vulnerabilities of PHP and how to prevent PHP vulnerabilities? , including relevant content, I hope it will be helpful to friends who are interested in PHP tutorials.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
