学习PHP精粹,编写高效PHP代码之安全性
一、过滤输入、避免输出
有时我们将短语“过滤输入、避免输出”缩写为FIEO,这已成为PHP应用程序的安全真言。
1、利用ctype进行验证
ctype:http://php.net/ctype
2、利用PCRE(Perl兼容的正则表达式)进行验证
PCRE:http://php.net/pcre
二、跨站脚本
跨站脚本通常简称为XSS,攻击载体以在应用程序输出中由用户提供的变量所在位置为目标,但该变量没有适当地转义。这允许攻击者注入他们选择的一个客户端脚本作为这个变量值的一部分。下面是代码受到这种类型攻击的示例:
<span><</span><span>form </span><span>action</span><span>="<?php echo $_SERVER['PHP_SELF'];?>"</span><span>></span>
<span><</span><span>input </span><span>type</span><span>="submit"</span><span> value</span><span>="submit"</span> <span>/></span>
<span></</span><span>form</span><span>></span>在线资源:
1、http://ha.ckers.org/xss.html
2、http://shiflett.org/articles/cross-site-scripting
3、http://seancoates.com/blogs/xss-woes
三、伪造跨站脚本
比方说,某个攻击者想从一个流行的在线商店中得到一个昂贵的商品而不用付钱。相反,他们想让一个毫不知情的受害者支付这笔金额。他们选择的武器是:一个伪造的跨站请求。这种攻击类型的目标就是让受害者发送一个请求到某个特定的网站,从而利用受害者在该网站已经注册的身份信息。
在线资源:
1、http://shiflett.org/articles/cross-site-request-forgeries
2、http://shiflett.org/articles/foiling-cross-site-attacks
四、会话固定
如前所示,用户会话是一个经常受到攻击的目标,这种对潜在的受害者和目标网站的识别能力使得一些攻击有机可乘。这里有3种攻击者获得有效会话标示符的方法。按难度顺序排列,它们分别是:
1、固定
2、捕获
3、预测
在线资源:
1、http://shiflett.org/articles/session-fixation
2、http://phpsec.org/projects/guide/4.html#4.1
3、http://www.owasp.org/index.php/Session_fixation
五、会话劫持
会话劫持这个词有些难懂,因为我们用它描述两件事情:
1、导致攻击者得以进入网站上与受害者账户相关联的会话,而不管他如何获取访问权的任何类型的攻击。
2、需要捕获一个已建立的会话标识符,而不是通过固定技术或预测取得会话标识符的特定类型攻击。
在线资源:
1、http://shiflett.org/articles/session-hijacking
2、http://shiflett.org/articles/the-truth-about-sessions
3、http://phpsec.org/projects/guide/4.html#4.2
六、SQL注入
这种类型攻击的性质与前面所讲过的“过滤输入、避免输出”有关。基本上,SQL注入非常类似于XSS,在XSS中,攻击对象使得应用程序认为用户输入的含义超过了它所代表的数据。XSS的目的是让那些输入作为客户端代码而被执行;而SQL注入的目的是让这些输入被认为是一个SQL查询,或者是查询的一部分。
在线资源:
1、http://shiflett.org/articles/sql-injection
2、http://phpsec.org/projects/guide/3.html#3.2
七、储存密码
在Web应用程序能有效处理数据库查询中用户输入的情况下,攻击者需使用更广泛的手段访问用户账户。一般来说,其中也包括获取受害者的访问凭证来访问他们的数据。
其中一个实现方法便是强行进入Web应用程序使用的数据库服务器。根据你使用何种数据库、数据库如何配置等相关信息,攻击者有很多的侵入方法。
在线资源:
1、http://php.net/mcrypt
2、http://www.openwall.com/phpass/
3、http://codahale.com/how-to-safely-store-a-password/
八、暴力破解攻击
对攻击者而言,侵入数据库或解密加密的密码技术门槛过高。在这种情况下,攻击者可能尝试使用一个脚本,模拟一个正常用户使用浏览器登录到Web应用程序的HTTP请求,他们用给定用户名和随机密码尝试登入,直到找到正确的密码。这种方式成为“暴力破解攻击”。
在线资源:
1、https://www.owasp.org/index.php/Brute_force_attack
2、http://en.wikipedia.org/wiki/Brute-force_attack
九、SSL
在线资源:
1、http://arst.ch/bgm
2、http://www.owasp.org/index.php/SSL_Best_Practices
PHP安全相关资源:
1、http://www.php.net/manual/en/security.php PHP手册中有关于各种安全问题的章节
2、http://phpsecurity.org/ 这是《Essential PHP Security》一书的相关网站
3、http://phpsec.org/projects/guide/ PHP安全协会的项目之一就是《PHP Security Guide》
4、http://www.enigmagroup.org/ 该网站提供了针对Web应用程序和论坛的许多潜在攻击载体的相关信息和实用练习。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
PHP and Python: Comparing Two Popular Programming Languages
Apr 14, 2025 am 12:13 AM
PHP and Python each have their own advantages, and choose according to project requirements. 1.PHP is suitable for web development, especially for rapid development and maintenance of websites. 2. Python is suitable for data science, machine learning and artificial intelligence, with concise syntax and suitable for beginners.
PHP: A Key Language for Web Development
Apr 13, 2025 am 12:08 AM
PHP is a scripting language widely used on the server side, especially suitable for web development. 1.PHP can embed HTML, process HTTP requests and responses, and supports a variety of databases. 2.PHP is used to generate dynamic web content, process form data, access databases, etc., with strong community support and open source resources. 3. PHP is an interpreted language, and the execution process includes lexical analysis, grammatical analysis, compilation and execution. 4.PHP can be combined with MySQL for advanced applications such as user registration systems. 5. When debugging PHP, you can use functions such as error_reporting() and var_dump(). 6. Optimize PHP code to use caching mechanisms, optimize database queries and use built-in functions. 7
PHP in Action: Real-World Examples and Applications
Apr 14, 2025 am 12:19 AM
PHP is widely used in e-commerce, content management systems and API development. 1) E-commerce: used for shopping cart function and payment processing. 2) Content management system: used for dynamic content generation and user management. 3) API development: used for RESTful API development and API security. Through performance optimization and best practices, the efficiency and maintainability of PHP applications are improved.
What is Cross-Site Request Forgery (CSRF) and how do you implement CSRF protection in PHP?
Apr 07, 2025 am 12:02 AM
In PHP, you can effectively prevent CSRF attacks by using unpredictable tokens. Specific methods include: 1. Generate and embed CSRF tokens in the form; 2. Verify the validity of the token when processing the request.
PHP's Purpose: Building Dynamic Websites
Apr 15, 2025 am 12:18 AM
PHP is used to build dynamic websites, and its core functions include: 1. Generate dynamic content and generate web pages in real time by connecting with the database; 2. Process user interaction and form submissions, verify inputs and respond to operations; 3. Manage sessions and user authentication to provide a personalized experience; 4. Optimize performance and follow best practices to improve website efficiency and security.
PHP vs. Python: Understanding the Differences
Apr 11, 2025 am 12:15 AM
PHP and Python each have their own advantages, and the choice should be based on project requirements. 1.PHP is suitable for web development, with simple syntax and high execution efficiency. 2. Python is suitable for data science and machine learning, with concise syntax and rich libraries.
The Future of PHP: Adaptations and Innovations
Apr 11, 2025 am 12:01 AM
The future of PHP will be achieved by adapting to new technology trends and introducing innovative features: 1) Adapting to cloud computing, containerization and microservice architectures, supporting Docker and Kubernetes; 2) introducing JIT compilers and enumeration types to improve performance and data processing efficiency; 3) Continuously optimize performance and promote best practices.
PHP vs. Other Languages: A Comparison
Apr 13, 2025 am 12:19 AM
PHP is suitable for web development, especially in rapid development and processing dynamic content, but is not good at data science and enterprise-level applications. Compared with Python, PHP has more advantages in web development, but is not as good as Python in the field of data science; compared with Java, PHP performs worse in enterprise-level applications, but is more flexible in web development; compared with JavaScript, PHP is more concise in back-end development, but is not as good as JavaScript in front-end development.
