PHP安全性漫谈之PHP安全性设置
PHP安全性漫谈之PHP安全性设置
服务器并不能阻止所有的安全问题,例如程序漏洞问题、用户输入表单问题、PHP文件权限问题等。也可以通过一些手段来迷惑黑客或者别有用心者。
1、程序代码漏洞问题
很多 PHP 程序所存在的重大弱点并不是 PHP 语言本身的问题,而是编程者的安全意识不高而导致的。因此,必须时时注意每一段代码可能存在的问题,去发现非正确数据提交时可能造成的影响。
unlink ($evil_var); fwrite ($fp, $evil_var); system ($evil_var); exec ($evil_var);
必须时常留意你的代码,以确保每一个从客户端提交的变量都经过适当的检查,然后问自己以下一些问题:
- 此脚本是否只能影响所预期的文件?
- 非正常的数据被提交后能否产生作用?
- 此脚本能用于计划外的用途吗?
- 此脚本能否和其它脚本结合起来做坏事?
- 是否所有的事务都被充分记录了?
在写代码的时候问自己这些问题,否则以后可能要为了增加安全性而重写代码了。注意了这些问题的话,也许还不完全能保证系统的安全,但是至少可以提高安全性。
还可以考虑关闭 register_globals,magic_quotes 或者其它使编程更方便但会使某个变量的合法性,来源和其值被搞乱的设置。
2、用户输入表单问题
验证用户输入的任何数据,保证PHP代码的安全。
注意1:JS只是为了提高来访用户的体验而产生的,而不是验证的工具。因为任何一个来访的用户都可能会,也有可能无意间就禁用了客户端脚本的执行,从而跳过这层验证。所以我们必须在PHP的服务器端程序上检验这些数据。
注意2:不要使用$_SERVER['HTTP_REFERER']这个超级变量来检查数据的来源地址,一个很小的菜鸟黑客都会利用工具来伪造这个变量的数据,尽可能利用Md5,或者rand等函数来产生一个令牌,验证来源的时候,验证这个令牌是否匹配。
3、PHP文件权限问题
PHP 被设计为以用户级别来访问文件系统,所以完全有可能通过编写一段 PHP 代码来读取系统文件如 /etc/passwd,更改网络连接以及发送大量打印任务等等。因此必须确保 PHP 代码读取和写入的是合适的文件。 请看下面的代码,用户想要删除自己主目录中的一个文件。假设此情形是通过 web 界面来管理文件系统,因此 Apache 用户有权删除用户目录下的文件。
$username = $_POST['user_submitted_name'];
$homedir = "/home/$username";
$file_to_delete = "$userfile";
unlink ("$homedir/$userfile");
echo "$file_to_delete has been deleted!";
既然 username 变量可以通过用户表单来提交,那就可以提交别人的用户名和文件名,并删除该文件。这种情况下,就要考虑其它方式的认证:
- 只给 PHP 的 web 用户很有限的权限。
- 检查所有提交上来的变量。
以下是更加安全的文件名和变量的验证和检查:
$username = $_SERVER['REMOTE_USER']; $homedir = "/home/$username"; if (!ereg('^[^./][^/]*$', $userfile)) die('bad filename'); if (!ereg('^[^./][^/]*$', $username)) die('bad username');
4、隐藏PHP扩展名
一般而言,通过隐藏的手段提高安全性被认为是作用不大的做法。但某些情况下,尽可能的多增加一份安全性都是值得的。
一些简单的方法可以帮助隐藏 PHP,这样做可以提高攻击者发现系统弱点的难度。在 php.ini 文件里设置 expose_php = off ,可以减少他们能获得的有用信息。
另一个策略就是让 web 服务器用 PHP 解析不同扩展名。无论是通过 .htaccess 文件还是 Apache 的配置文件,都可以设置能误导攻击者的文件扩展名:
# 使PHP看上去像其它的编程语言 AddType application/x-httpd-php .asp .py .pl # 使 PHP 看上去像未知的文件类型 AddType application/x-httpd-php .bop .foo .133t # 使 PHP 代码看上去像 HTML 页面 AddType application/x-httpd-php .htm .html
要让此方法生效,必须把 PHP 文件的扩展名改为以上的扩展名。这样就通过隐藏来提高了安全性,虽然防御能力很低而且有些缺点。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1666
14
1425
52
1327
25
1273
29
1252
24
php CodeIgniter Security Guide: Protect your website from attacks
Feb 19, 2024 pm 06:21 PM
1. Use the latest version of CodeIgniter The CodeIgniter team regularly releases security patches and updates to fix known vulnerabilities. Therefore, it is important to ensure that you are always using the latest version of CodeIgniter. You can download the latest version by visiting CodeIgniter’s official website. 2. Enforce the use of secure connections (HTTPS) https can encrypt the data passed between your website and users, making it more difficult for malicious users to intercept and steal. You can enable HTTPS by installing an SSL certificate on your server. 3. Avoid using default configurations CodeIgniter provides many default configurations to simplify the development process. However, these default configurations may not
Website security development practices: How to prevent XML external entity attacks (XXE)
Jun 29, 2023 am 08:51 AM
Website Security Development Practice: How to Prevent XML External Entity Attacks (XXE) With the development of the Internet, websites have become an important way for people to obtain and share information. However, the risks that come with it are also increasing. One of them is XML External Entity Attack (XXE), which is an attack method that exploits vulnerabilities in XML parsers. In this article, we will explain what an XXE attack is and how to prevent it. 1. What is XML External Entity Attack (XXE)? XML external entity attack (XXE) is a
Website security development practices: How to prevent SSRF attacks
Jun 29, 2023 am 11:58 AM
Website Security Development Practice: How to Prevent SSRF Attacks With the rapid development of the Internet, more and more companies and individuals choose to move their business to the cloud, and website security issues have also attracted increasing attention. One of the common security threats is SSRF (Server-SideRequestForgery, server-side request forgery) attack. This article will introduce the principles and harms of SSRF attacks, and provide some common preventive measures to help developers strengthen the security of their websites. The principles and dangers of SSRF attacks
Using ThinkPHP6 to implement website security detection
Jun 20, 2023 am 09:03 AM
With the continuous development of the Internet, more and more websites have emerged, but at the same time, website security problems have become more and more serious. Security vulnerabilities such as hacker attacks, malware, and SQL injection cause headaches for website operators. In order to ensure the security of the website, security testing during website construction and operation is also particularly important. This article will introduce how to use ThinkPHP6 to implement website security detection and help website operators further improve website security. 1. What is ThinkPHP6? ThinkPHP6 is a PH
Detailed explanation of the impact of Discuz canceling the verification code function on website security
Mar 11, 2024 am 10:45 AM
"Discussion on the Impact of Discuz's Canceling the Verification Code Function on Website Security" With the rapid development of the Internet, website security issues have become increasingly prominent. As a common security verification mechanism, verification code is widely used on websites. However, some websites may cancel the verification code function in order to improve user experience. Will this have a negative impact on website security? This article will discuss the impact of Discuz's cancellation of verification code function on website security and provide specific code examples. 1. The function and principle of verification code Verification code (CAP)
Use Pagoda Panel for HTTPS upgrade to improve website security
Jun 21, 2023 am 10:15 AM
With the development of the Internet, websites have become an important channel for enterprises to display their image and communicate with the outside world. However, the network security issues that come with it are indeed worrying. Many website administrators may already be aware of the importance of protecting user data and transaction information by using the HTTPS protocol, but may not yet have a good understanding of how to implement HTTPS upgrades. This article will introduce how to use the Pagoda Panel to upgrade HTTPS and improve the security of the website. 1. What is HTTPS? HTTP is Hypertext Transfer Protocol, a
PHP Firewall Implementation: Website Security Architecture Design Guide
Jun 30, 2023 pm 06:57 PM
Website Security Architecture Design Guide: Implementation of PHP Firewall Introduction: In today's Internet era, website security problems are becoming increasingly serious. Hackers are constantly using loopholes to invade websites, steal user information or disrupt the normal operation of the website. In order to protect the privacy and security of the website and its users, it is crucial to establish a reliable security architecture. This article will focus on the implementation of PHP firewall and provide guidance for website security architecture. 1. What is a PHP firewall? The PHP firewall is a security measure that blocks malicious attacks and intrusions by filtering
PHP website security and protection measures
May 04, 2024 pm 10:48 PM
PHP website security measures include: Preventing SQL injection: using prepared statements or escaping user input. Prevent XSS: Escape user input. Prevent CSRF: Use CSRF tokens. Prevent buffer overflow: Set the maximum input length. Stay updated, use security frameworks, enable firewalls, monitor websites, conduct security audits.
