安全技巧-如何编写安全的PHP代码
作为网站的所有者或从业者无不希望自己的网站可以安全的运营,然而很多时候网站开发时的一点小疏忽,很可能成为网站巨大的安全隐患。如今web开发的工具和语言有很多,PHP便是其中一种。PHP语言本身具有无可比拟的安全特征,但却没有引起广大网站开发者的重视。网站安全可以保证企业员工敏感数据的安全,甚至能有效的阻止服务器遭劫持等问题。以下笔者将对使用PHP开发时的几点建议和大家讨论,希望可以带给用户一些帮助。
首先,最重要的事情就是要弄清各种变量和用户输入数据。许多你不曾注意的变量本身很可能成为恶意软件程序传播感染的极佳途径。我们可以假设在你的网站上存在一些不是太安全的代码,但却运行正常。攻击者发掘这些漏洞后可以肆无忌惮的在你的网站中进行破坏活动。不要小看这些不起眼的变量名,这些漏洞一旦被黑客利用,其不仅仅是删除文件而且删除整个密码系统或其它敏感信息,最终可能对服务器的正常运转造成巨大的伤害。
网站管理员对所有从外部输入的文件必须检查其内容是否存在恶意代码,同时数据库安全也是至关重要的。数据库安全必将涉及很多SQL注入等攻击方式,这里不做详细阐述,用户如果希望了解数据库安全信息,我会按需求详细介绍。
Magic Quotes
Magic Quotes在处理用户文件输入时非常好用。当这个选项开启之后(位于你的php.ini文件中)它将会把所有的单引号和双引号区分开,也可以将NULL字节从用户的输入信息中分开。当开启Magic Quote时的一个问题是你是否希望你的用户进行引号过滤。如果你关闭Magic Quote的话可以在“runtime”中分析到用户输入数据的字符串。
如果你对PHP还不熟悉,我建议你开启这一功能直到你学会了怎么样分析和表现用户输入的数据。我个人建议使用我编写的“清除”功能。我将会给你提供一个模板,这样你就可以自己编写一个清除功能了。
|
function clean($string) { $string = stripslashes($string); $string = htmlentities($string); $string = strip_tags($string); return $string; } ?> |
如果你的用户正在提交一个需要用户名验证的form时,你可以使用如下的功能:
|
$username = $_POST[username]; echo clean($mystring); ?> |
对于这个Magic Quote来说,有3种指令来实现。你可以参考php.net网站或是php manual。这三种指示基本上就是magic_quotes_gpc,这些用来处理访问请求(get,post,cookies)。magic_quotes_runtime用来处理文件和数据库,外部文件。第三种就是magic_quotes_sybase,如果它被激活的话就会直接废掉magic_quotes_gpc。
通过朦胧而获得的安全
最近你可能没有注意到,但是我发现在一些网站上的PHP语言中可以找得到ASP (Active Server Page 动态服务器主页)或是PERL(一种GGI脚本语言)扩展语言,我们可以100%肯定这个网站使用的正是PHP/SQL为基础的架构。这是一种典型的迷惑式安全策略,而不是告诉黑客你使用的正是PHP脚本从而误导他们以为你运行的是PERL或python或是其它任何脚本语言。
例如,你可以使用php扩展运行php脚本,就和一般情况下一样。为了不让别人看到你的"hello.php"脚本,你实际上使用Apache来隐藏或是迷惑真正的文件扩展名。因此不是使用的"hello.php"扩展名,你可以将这些文件伪装成PERL语言,你的"hello.php"仍然是PHP脚本。就像下面一样:
[quote]AddType application/x-httpd-php .asp .py .pl[/quote]
我最喜欢的就是编一个文件扩展名, 譬如 .sun 或 .fuck
[quote]AddType application/x-httpd-php .sun .fuck .1e3t[/quote]
我确信当黑客在碰到看似是运行php文件的。Sun文件的时候会急于发动攻击,后果可想而知。试一下就知道了。上面的代码使用于Apache配置文件,如果你是在一台共享的主机上的话你就不会访问到Apache配置文件。
Register Globals
当Global4.2版本出现时PHP发生很大的变化。对于php.ini文件中的INI文件来说这是一个开或闭的选择,PHP并不是逼你采用类似其它语言一样的原始参数,正因为如此,人们将它看作是一种不安全的语言。当register globals开启的时候,它就会允许设置参数的请求。最好的例子就是用户注册形式。我们假设register globals开启:
|
if($authed = true) { echo "my sensitive information"; } ?> |
任何用户都可以通过发送GET请求访问敏感信息。你可以通过telnet(用于远程联接服务的标准协议或者实现此协议的软件远程登录)或是浏览器,譬如sin.php?authed=true,这样就会显示敏感信息。如果我们将其关闭,就会阻止这一问题,现在当我们访问sin.php?authed=true页面的时候,就会一片空白。用户不能从外部来源初始化变量。另外一个保护你的变量免于外部来源影响的一个办法就是检查它们是否是通过GET或是POST请求。
|
$authed = true; if(isset($_POST[authed]) || $_GET[authed]) { echo "variable violation"; } else { if($authed == true) { echo "my sensitive information"; } } ?> |
通过监控GET或是POST请求我们就可以检查到是否有人在我们的变量中注入什么东西。接下来我们收到的消息不仅包括他们已经破坏了变量,还可以及时通知管理员做出应急措施。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1669
14
1428
52
1329
25
1273
29
1256
24
PHP: A Key Language for Web Development
Apr 13, 2025 am 12:08 AM
PHP is a scripting language widely used on the server side, especially suitable for web development. 1.PHP can embed HTML, process HTTP requests and responses, and supports a variety of databases. 2.PHP is used to generate dynamic web content, process form data, access databases, etc., with strong community support and open source resources. 3. PHP is an interpreted language, and the execution process includes lexical analysis, grammatical analysis, compilation and execution. 4.PHP can be combined with MySQL for advanced applications such as user registration systems. 5. When debugging PHP, you can use functions such as error_reporting() and var_dump(). 6. Optimize PHP code to use caching mechanisms, optimize database queries and use built-in functions. 7
PHP and Python: Comparing Two Popular Programming Languages
Apr 14, 2025 am 12:13 AM
PHP and Python each have their own advantages, and choose according to project requirements. 1.PHP is suitable for web development, especially for rapid development and maintenance of websites. 2. Python is suitable for data science, machine learning and artificial intelligence, with concise syntax and suitable for beginners.
PHP in Action: Real-World Examples and Applications
Apr 14, 2025 am 12:19 AM
PHP is widely used in e-commerce, content management systems and API development. 1) E-commerce: used for shopping cart function and payment processing. 2) Content management system: used for dynamic content generation and user management. 3) API development: used for RESTful API development and API security. Through performance optimization and best practices, the efficiency and maintainability of PHP applications are improved.
The Enduring Relevance of PHP: Is It Still Alive?
Apr 14, 2025 am 12:12 AM
PHP is still dynamic and still occupies an important position in the field of modern programming. 1) PHP's simplicity and powerful community support make it widely used in web development; 2) Its flexibility and stability make it outstanding in handling web forms, database operations and file processing; 3) PHP is constantly evolving and optimizing, suitable for beginners and experienced developers.
PHP and Python: Different Paradigms Explained
Apr 18, 2025 am 12:26 AM
PHP is mainly procedural programming, but also supports object-oriented programming (OOP); Python supports a variety of paradigms, including OOP, functional and procedural programming. PHP is suitable for web development, and Python is suitable for a variety of applications such as data analysis and machine learning.
PHP vs. Other Languages: A Comparison
Apr 13, 2025 am 12:19 AM
PHP is suitable for web development, especially in rapid development and processing dynamic content, but is not good at data science and enterprise-level applications. Compared with Python, PHP has more advantages in web development, but is not as good as Python in the field of data science; compared with Java, PHP performs worse in enterprise-level applications, but is more flexible in web development; compared with JavaScript, PHP is more concise in back-end development, but is not as good as JavaScript in front-end development.
PHP and Python: Code Examples and Comparison
Apr 15, 2025 am 12:07 AM
PHP and Python have their own advantages and disadvantages, and the choice depends on project needs and personal preferences. 1.PHP is suitable for rapid development and maintenance of large-scale web applications. 2. Python dominates the field of data science and machine learning.
PHP: Handling Databases and Server-Side Logic
Apr 15, 2025 am 12:15 AM
PHP uses MySQLi and PDO extensions to interact in database operations and server-side logic processing, and processes server-side logic through functions such as session management. 1) Use MySQLi or PDO to connect to the database and execute SQL queries. 2) Handle HTTP requests and user status through session management and other functions. 3) Use transactions to ensure the atomicity of database operations. 4) Prevent SQL injection, use exception handling and closing connections for debugging. 5) Optimize performance through indexing and cache, write highly readable code and perform error handling.
