最新消息:
    你的位置:jinglingshu的博客 > php安全 > 创建高安全性PHP网站的几个实用要点

    创建高安全性PHP网站的几个实用要点

    php安全 admin 1497浏览 0评论

    大家都知道PHP已经是当前最流行的Web应用编程语言了。但是也与其他脚本语言一样,PHP也有几个很危险的安全漏洞。所以在这篇教学文章中,我们将大致看看几个实用的技巧来让你避免一些常见的PHP安全问题。

    kkk

    技巧1:使用合适的错误报告

    一般在开发过程中,很多程序员总是忘了制作程序错误报告,这是极大的错误,因为恰当的错误报告不仅仅是最好的调试工具,也是极佳的安全漏洞检测工具,这能让你把应用真正上线前尽可能找出你将会遇到的问题。
    当然也有很多方式去启用错误报告。比如在 php.in 配置文件中你可以设置在运行时启用
    启动错误报告
    error_reporting(E_ALL);
    停用错误报告
    error_reporting(0);
    技巧2:不使用PHP的Weak属性
    有几个PHP的属性是需要被设置为OFF的。一般它们都存在于PHP4里面,而在PHP5中是不推荐使用的。尤其最后在PHP6里面,这些属性都被移除了。
    注册全局变量
    当 register_globals 被设置为ON时,就相当于设置Environment,GET,POST,COOKIE或者Server变量都定义为全局变量。此时你根本不需要去写 $_POST[‘username’]来获取表单变量’username’,只需要’$username’就能获取此变量了。
    那么你肯定在想既然设置 register_globals 为 ON 有这么方便的好处,那为什么不要使用呢?因为如果你这样做将会带来很多安全性的问题,而且也可能与局部变量名称相冲突。
    比如先看看下面的代码:
    if( !empty( $_POST['username'] ) && $_POST['username'] == ‘test123′ && !empty(
    $_POST['password'] ) && $_POST['password'] == “pass123″ )

{

$access = true;

}

    如果运行期间, register_globals 被设置为ON,那么用户只需要传输 access=1 在一句查询字符串中就能获取到PHP脚本运行的任何东西了。

    在.htaccess中停用全局变量
    php_flag register_globals 0
    在php.ini中停用全局变量
    register_globals = Off
    停用类似 magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase 这些Magic Quotes
    在.htaccess文件中设置
    php_flag magic_quotes_gpc 0

php_flag magic_quotes_runtime 0
    在php.ini中设置
    magic_quotes_gpc = Off

magic_quotes_runtime = Off

magic_quotes_sybase = Off
    技巧3:验证用户输入
    你当然也可以验证用户的输入,首先必须知道你期望用户输入的数据类型。这样就能在浏览器端做好防御用户恶意攻击你的准备。
    技巧4:避免用户进行交叉站点脚本攻击
    在Web应用中,都是简单地接受用户输入表单然后反馈结果。在接受用户输入时,如果允许HTML格式输入将是非常危险的事情,因为这也就允许了 JavaScript以不可预料的方式侵入后直接执行。哪怕只要有一个这样漏洞,cookie数据都可能被盗取进而导致用户的账户被盗取。
    技巧5:预防SQL注入攻击
    PHP基本没有提供任何工具来保护你的数据库,所以当你连接数据库时,你可以使用下面这个mysqli_real_escape_string 函数。
    $username = mysql_real_escape_string( $GET['username'] );
mysql_query( “SELECT * FROM tbl_employee WHERE username = ’”.$username.“‘”);
    好了,在这篇简短的文章中,我们阐述了几个开发过程中不能忽视的PHP安全性问题。但是最终是否使用,如何使用还是开发人员来决定的。希望这篇文章能帮助到你们。
    英文:Useful Tips for Creating Secure PHP Applications

    Useful Tips for Creating Secure PHP Applications

    Currently PHP is one of the most popular programming languages for the web. But like other scripting languages, PHP also has few security holes that can make our application insecure. In this tutorial, we will take a look at useful tips to help you avoid some common PHP security problems.

    Tip 1: Use Proper Error Reporting

    During development we often forget to make error reporting on which means weak levels of error reporting in development environments, which is unfortunate, because proper error reporting is not only one of the best debugging tools available to a developer, but also an excellent way to reveal significant security flaws in code before they become a threat in the real world.

    There are many ways to enable error reporting. you can enable error reporting from inside the configuration file php.ini or you can set it at runtime.

    Enabling Error Reporting

    1. error_reporting(E_ALL);

    Disabling Error Reporting

    1. error_reporting(0);

    Tip 2: Disable PHP’s weak Features

    There are few PHP’s features that’s need to be set OFF. These features are exists in PHP4 applications and are only deprecated in PHP5 applications. But finally removed in the upcoming PHP6.

    Register Globals (register_globals)

    Actaully when register_globals is set to ON. it registers Environment, GET, POST, COOKIE or Server variables as global variables. you don’t need to write $_POST[‘username’] to access the posted ‘username’ variable you can simply use ‘$username’ to access the $_POST[‘username’].

    Now you will be thinking that making register_globals on is easy for us why not to use? Yes it is easy for you but it creates many security hole in your application and also creates the conflicts between variables.

    Below is the common example you will see in PHP scripts:

    1. if( !empty( $_POST[‘username’] ) && $_POST[‘username’] == ‘test123′ && !empty( $_POST[‘password’] ) && $_POST[‘password’] == “pass123″ )
    2. {
    3. $access = true;
    4. }

    If the application is running with register_globals ON, a user could just place access=1 into a query string, and would then have access to whatever the script is running.

    Register Globals Disabling with .htaccess

    1. php_flag register_globals 0

    Disabling with php.ini

    1. register_globals = Off
    Disable Magic Quotes like magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase

    Magic Quotes is a feature meant to save programmers the trouble of using addslashes() and other similar security features in their code. But It is recommended that you disable this
    feature and use proper variable validation instead

    Disabling with .htaccess

    1. php_flag magic_quotes_gpc 0
    2. php_flag magic_quotes_runtime 0

    Disabling with php.ini

    1. magic_quotes_gpc = Off
    2. magic_quotes_runtime = Off
    3. magic_quotes_sybase = Off

    Tip 3: Validate User Input

    You can also validate user input. you actually already

    know what kind of data you are expecting on input. So the simplest way
    to protect yourself against attacks is to make sure your users can only
    enter the appropriate data.

    Tip 4: Avoid Cross Site Scripting Attacks in User Input

    In our web application we simply accepts input from users and displays it in some way. During accepting input, allowing HTML can be a dangerous thing, because that allows for JavaScript to be executed in unintended ways. If even one hole is left open, JavasScript can be executed and cookies could be hijacked. This cookie data could then be used to fake a real account and give an illegal user access to the website’s data. There are a few ways you can protect yourself from such attacks. first way ia to disallow HTML because then there is no possible way to allow any JavaScript to execute.

    Tip 5: Protect you database against SQL Injection

    SQL injection is a well know security attacks on the web. Actually SQL injection attacks occur when data goes unchecked and the application does not escape characters used in SQL strings such as single quotes (‘) or double quotes (“).

    But PHP offers few tool to help protect your database input. when you connect with database, you can use these functions. The mysqli_real_escape_string function is used when connected to the database.

    1. $username = mysqli_real_escape_string( $GET[‘username’] );
    2. mysql_query( “SELECT * FROM tbl_employee WHERE username = ’”.$username.“‘”);

    In this brief note, I have just explain few major security hole that we often ignore in PHP Application development. But it is totally up to the developer that they make themesleves aware about web security and most common attacks. Hope it will be helpful for you. Please don’t forget to share your useful comments with us. Thanks!

    转载请注明:jinglingshu的博客 » 创建高安全性PHP网站的几个实用要点

    与本文相关的文章

    发表我的评论
    取消评论

    表情

    Hi,您需要填写昵称和邮箱!

    • 昵称 (必填)
    • 邮箱 (必填)
    • 网址