Security Prevention of Php Injection Through the above process, we can understand the principles and methods of Php injection. Of course, we can also develop corresponding prevention methods:
The first is the security settings of the server. We have already talked about the security settings of the windows server before and will not repeat them again. The main ones here are the security settings of php+mysql and the security settings of the Linux host. To prevent php+mysql injection, first set magic_quotes_gpc to On and display_errors to Off. If it is an id type, we use the intval() function to convert it into an integer type, as shown in the code:
$id=intval($id);
mysql_query="select *from example where articieid='$id'"; Or write like this: mysql_query("SELECT * FROM article WHERE articleid=".intval($id)."")
If it is a character type, use addslashes() Filter it, and then filter "%" and "_" such as:
$search=addslashes($search);
$search=str_replace(“_”,”_”,$search);
$search=str_replace(“%”,”%”,$search);
Of course, you can also add PHP general anti-injection code:
/******************************
PHP general anti-injection security code description:
Determine whether the passed variable contains illegal characters such as $_POST, $_GET
Function:
Anti-injection
******************************/
//Illegal characters to be filtered
$ArrFiltrate=array("'",";","union");
//The URL to jump to after an error occurs. If not filled in, the previous page will be defaulted.
$StrGoUrl="";
//Whether there is a value in the array
function FunStringExist($StrFiltrate,$ArrFiltrate){
foreach ($ArrFiltrate as $key=>$value){
if (eregi($value,$StrFiltrate)){
return true;
}
}
return false;
}
//Merge $_POST and $_GET
if(function_exists(array_merge)){
$ArrPostAndGet=array_merge($HTTP_POST_VARS,$HTTP_GET_VARS);
}else{
foreach($HTTP_POST_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
foreach($HTTP_GET_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
}
//Verification starts
foreach($ArrPostAndGet as $key=>$value){
if (FunStringExist($value,$ArrFiltrate)){
echo "alert(/"Neeao prompt, illegal character/");";
if (empty($StrGoUrl)){
echo "history.go(-1);";
}else{
echo "window.location=/"".$StrGoUrl."/";";
}
exit;
}
}
?>
/******************************
Save as checkpostandget.php www.devdao.com
Then add include("checkpostandget.php"); in front of each php file.
******************************/
In addition, the administrator username and password are md5 encrypted, which can effectively prevent PHP injection.
There are also some security precautions that need to be strengthened on the server and mysql.
For security settings of linux server:
To encrypt the password, use the "/usr/sbin/authconfig" tool to turn on the password shadow function and encrypt the password.
To prohibit access to important files, enter the Linux command interface and enter at the prompt:
#chmod 600 /etc/inetd.conf //Change file attributes to 600
#chattr +I /etc/inetd.conf // Ensure that the file owner is root
#chattr –I /etc/inetd.conf // Limit changes to this file
To prohibit any user from changing to the root user through the su command, add the following two lines at the beginning of the su configuration file, that is, the /etc/pam.d/ directory:
Auth sufficient /lib/security/pam_rootok.so debug
Auth required /lib/security/pam_whell.so group=wheel
Delete all special accounts
#userdel lp etc. delete user
#groupdel lp, etc. Delete the group to prohibit unused suid/sgid programs
#find / -type f (-perm -04000 - o –perm -02000 ) -execls –lg {} ;