PHP security basics
This material is for novice programmers.
Why so often I see going to some site something like this:
')
This is one of the standard PHP errors, which is a) ugly for the user; b) potentially dangerous.
Therefore, they need to be intercepted and streamlined.
First, the error_reporting function allows us to decide which errors we want to see.
In principle, it is enough just to turn off the display of all errors (error_reporting (0)), but this is not what we need, because we want to know about errors.
Constant of all errors - E_ALL.
In the fifth version, the constant E_STRICT appeared, showing strict comments about the code.
Of course, it is desirable to see them, but they are not included in the E_ALL, because we will use the error_reporting (8191) numerical value, which includes everything up to the new errors of the sixth version.
Note to the curious: error_reporting (E_ALL | E_STRICT) is not suitable, because then PHP 4 will swear, not knowing what E_STRICT is. There will be no problems with the numerical value.
We add a check on the DEBUG constant, set in the config, and, using set_error_handler , we will catch errors in the already running service. By the way, your error reporter should return true, otherwise PHP will throw a standard error.
Result:
(As for comparing a variable with five parameters, I am not sure about the choice of method: in_array is more beautiful, and much slower, and the switch case case is faster, but quite ugly. Beauty is a subjective matter ...)
4.2.0 register_globals PHP .
, , , PHP if ($username == 'admin')…
, .
POST, GET, COOKIE superglobals $_POST, $_GET, $_COOKIE.
import_request_variables, .
.
.
register_globals:
— , $user_level
( 0 , , 0 ),
foo.php?user_level=999 .
. ' OR `username` = 'admin, .
, , .
, - , SQL injection.
PHP , , , escape ( , addslashes).
? . , . , .
, 100- SQL injection.
. ) , . ) , SQL mysql_real_escape_string ( ).
:
(mysql_real_escape_string — , . ?)
. - SQL, quote:
, .
.
, .
, , .
, .
, - %00 , , , .
, , , , .
.
.
, .
include, require, readfile, eval, ``, system, exec, create_function, dir, fopen .
, , , , — - .
. '../../../../../etc/passwd%00', , — -.
, cookies , , .
, , — .
cookies ID.
PHP , .
, cookies - , ?
$_GET, $_POST, $_COOKIE, .
Trust no one! :)
Content
- Demonstration of errors
- register_globals
- SQL injection and magic_quotes
- Data checking
- Authentication
- Conclusion
Demonstration of errors
Why so often I see going to some site something like this:
Warning: Use of undefined LOCAL_SERVER - assumed 'LOCAL_SERVER' in /web/includes/page-definitions.php on line 13
')
This is one of the standard PHP errors, which is a) ugly for the user; b) potentially dangerous.
Therefore, they need to be intercepted and streamlined.
First, the error_reporting function allows us to decide which errors we want to see.
In principle, it is enough just to turn off the display of all errors (error_reporting (0)), but this is not what we need, because we want to know about errors.
Constant of all errors - E_ALL.
In the fifth version, the constant E_STRICT appeared, showing strict comments about the code.
Of course, it is desirable to see them, but they are not included in the E_ALL, because we will use the error_reporting (8191) numerical value, which includes everything up to the new errors of the sixth version.
Note to the curious: error_reporting (E_ALL | E_STRICT) is not suitable, because then PHP 4 will swear, not knowing what E_STRICT is. There will be no problems with the numerical value.
We add a check on the DEBUG constant, set in the config, and, using set_error_handler , we will catch errors in the already running service. By the way, your error reporter should return true, otherwise PHP will throw a standard error.
Result:
(As for comparing a variable with five parameters, I am not sure about the choice of method: in_array is more beautiful, and much slower, and the switch case case is faster, but quite ugly. Beauty is a subjective matter ...)
<?php
error_reporting(8191);
if (!DEBUG)
{
function errorHandler ($errno, $errstr, $errfile, $errline)
{
// .
if ($errno == E_ERROR ||
$errno == E_PARSE ||
$errno == E_CORE_ERROR ||
$errno == E_COMPILE_ERROR ||
$errno == E_USER_ERROR)
{
// . , «, »...
}
return true;
}
set_error_handler('errorHandler');
}
?>
register_globals
4.2.0 register_globals PHP .
, , , PHP if ($username == 'admin')…
, .
POST, GET, COOKIE superglobals $_POST, $_GET, $_COOKIE.
import_request_variables, .
.
.
register_globals:
<?php
...
if (check_admin($..., $...))
{
...
$user_level = 169;
}
...
if ($user_level > 150)
{
echo 'Boom!';
}
?>
— , $user_level
( 0 , , 0 ),
foo.php?user_level=999 .
SQL injection magic_quotes
<?php
$user = mysql_fetch_assoc(mysql_query("SELECT * FROM `users` WHERE `username` = '{$_POST['username'}' AND `password` = '{$_POST['password']}'"));
?>
. ' OR `username` = 'admin, .
, , .
, - , SQL injection.
PHP , , , escape ( , addslashes).
? . , . , .
, 100- SQL injection.
. ) , . ) , SQL mysql_real_escape_string ( ).
:
<?php
{
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
function stripslashes_deep($value)
{
if(is_array($value))
{
$value = array_map('stripslashes_deep', $value);
}
elseif (!empty($value) && is_string($value))
{
$value = stripslashes($value);
}
return $value;
}
$_POST = stripslashes_deep($_POST);
$_GET = stripslashes_deep($_GET);
$_COOKIE = stripslashes_deep($_COOKIE);
}
}
?>
(mysql_real_escape_string — , . ?)
<?php
function quote($value) {
if (!is_numeric($value)) {
$value = "'".mysql_real_escape_string($value)."'";
}
return $value;
}
?>
. - SQL, quote:
<?php
$user = mysql_fetch_assoc(mysql_query('SELECT * FROM `users` WHERE `username` = '.quote($_POST['username']).' AND `password` = '.quote($_POST['password'])));
?>
, .
.
, .
, , .
<?php
if (are_bad_symbols($data)) boo();
?>
<?php
if (!all_good_symbols($data)) boo();
// :
is_numeric($data);
preg_match('/[a-z0-9_-]*/i', $data)
...
?>
, .
, - %00 , , , .
, , , , .
.
.
, .
include, require, readfile, eval, ``, system, exec, create_function, dir, fopen .
, , , , — - .
<?php
include($_GET['module'] . '.php');
?>
. '../../../../../etc/passwd%00', , — -.
, cookies , , .
, , — .
cookies ID.
PHP , .
<?php
session_start();
$_SESSION['userid'] = 168;
session_write_close();
?>
, cookies - , ?
$_GET, $_POST, $_COOKIE, .
Trust no one! :)
Source: https://habr.com/ru/post/12067/
All Articles