Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux server Php injection prevention     - Do not enter password login ssh (Server)

- Linux system installation and usage instructions Wetty (Linux)

- NaSC using simple mathematical operations on Ubuntu and Elementary OS (Linux)

- OpenGL Superb Learning Notes - GLSL language foundation (Programming)

- Getting Started with Linux system to learn: how to check the version of SSH on Linux (Linux)

- APT-GET commonly used Linux command (Linux)

- RVM installation instructions (Linux)

- To configure Samba to share files with Windows under CentOS (Linux)

- Difference Docker mirror and containers (Server)

- Linux linux system security (Linux)

- To setup a ftp server under Linux (Server)

- RHEL6 install Python and other packages from source (Linux)

- Linux Log Clear (Linux)

- Getting Started with Linux system to learn: how to install USB webcams come in raspberry (Linux)

- CentOS6.5 installation Docker (Linux)

- FreeBSD install Gnome 3 Desktop (Linux)

- [SHELL] MySQL primary recovery solution from + Keepalived online (Server)

- MySQL TIMESTAMP and DATETIME (Database)

- Cacti installation deployment under CentOS 6.6 (Server)

- RHEL7 Apache MPM configuration (Server)

 
         
  Linux server Php injection prevention
     
  Add Date : 2018-11-21      
         
         
         
  Php security injected through the above process, we can understand the principles and methods inject php, of course, we also can develop a prevention method phase should be:
The first is the security settings on the server, where the main security settings php + mysql security settings and linux host. Php + mysql injection for prevention, first magic_quotes_gpc is set to On, display_errors is set to Off, if id type, we use intval () function to convert it to an integer type, such as code:
$ Id = intval ($ id);
mysql_query = "select * from example where articieid = '$ id'"; or write: mysql_query ( "SELECT * FROM article WHERE articleid =" intval ($ id) ""..)


If it is filtered through a character addslashes () it, and then filtering "%" and "_" such as:
$ Search = addslashes ($ search);
$ Search = str_replace ( "_", "\ _", $ search);
$ Search = str_replace ( "%", "\%", $ search);
Of course, you can also add php code injection common defense:

// To filter illegal characters
$ ArrFiltrate = array ( " '", ";", "union");
After // error to jump to url, do not fill the default previous page
$ StrGoUrl = "";
// If value exists in an array
function FunStringExist ($ StrFiltrate, $ ArrFiltrate) {
foreach ($ ArrFiltrate as $ key => $ value) {
if (eregi ($ value, $ StrFiltrate)) {
return true;
}
}
return false;
}
// Combined $ _POST and $ _GET
if (function_exists (array_merge)) {
$ ArrPostAndGet = array_merge ($ HTTP_POST_VARS, $ HTTP_GET_VARS);
} Else {
foreach ($ HTTP_POST_VARS as $ key => $ value) {
$ ArrPostAndGet [] = $ value;
}
foreach ($ HTTP_GET_VARS as $ key => $ value) {
$ ArrPostAndGet [] = $ value;
}
}
// Start verification
foreach ($ ArrPostAndGet as $ key => $ value) {
if (FunStringExist ($ value, $ ArrFiltrate)) {
echo "alert (/" Neeao prompt illegal character / ");";
if (empty ($ StrGoUrl)) {
echo "history.go (-1);";
} Else {
echo "window.location = /" "$ StrGoUrl" / ";..";
}
exit;
}
}
?>


Also the administrator user name and password are taken md5 encryption, so that we can effectively prevent php injection.

There are a number of server and mysql should strengthen security.

For linux server security settings:

Encrypted passwords, use the "/ usr / sbin / authconfig" tool to open the shadow password function for password encryption.

Prohibit access to important documents, enter linux command interface, enter at the prompt:

#chmod 600 /etc/inetd.conf // change file attributes 600

#chattr + I /etc/inetd.conf // ensure that the file owner is root

#chattr -I /etc/inetd.conf // do limit the file changes

Prohibit any user su command to change the root user

Add at the beginning of the configuration file that is su /etc/pam.d/ directory the following two lines:

Auth sufficient /lib/security/pam_rootok.so debug

Auth required /lib/security/pam_whell.so group = wheel

Delete all of the special account

#userdel lp delete users, etc.

#groupdel lp etc. Delete Group

Prohibiting the use of suid / sgid program

#find / -type f \ (- perm -04000 - o -perm -02000 \) \ -execls -lg {} \;


Mysql security settings:

mySQL running in a separate (Chroot) environment;

#mkdir -p / chroot / mysql / dev

#mkdir -p / chroot / mysql / etc

#mkdir -p / chroot / mysql / tmp

#mkdir -p / chroot / mysql / var / tmp

#mkdir -p / chroot / mysql / usr / local / mysql / libexec

#mkdir -p / chroot / mysql / usr / local / mysql / share / mysql / english

Create the directory structure above, then set the directory permissions:

#chown -R root: sys / chroot / mysql

#chmod -R 755 / chroot / mysql

#chmod 1777 / chroot / mysql / tmp

Programs and files are copied to the chroot under mysql under

#cp -p / usr / local / mysql / libexec / mysqld / chroot / mysql / usr / local / mysql / libexec /

#cp -p /usr/local/mysql/share/mysql/english/errmsg.sys

/ Chroot / mysql / usr / local / mysql / share / mysql / english /

#cp -p / etc / hosts / chroot / mysql / etc /

#cp -p /etc/host.conf / chroot / mysql / etc /

#cp -p /etc/resolv.conf / chroot / mysql / etc /

#cp -p / etc / group / chroot / mysql / etc /

#cp -p / etc / passwd / chroot / mysql / etc / passwd

#cp -p /etc/my.cnf / chroot / mysql / etc /

passwd file and the group file editor for chroot

#vi / chroot / etc / passwd

#vi / chroot / etc / group open group file, delete the addition mysql, root of all rows

Mysql database copy files to your chroot

#cp -R / usr / local / mysql / var / / chroot / mysql / usr / local / mysql / var

#chown -R mysql: mysql / chroot / mysql / usr / local / mysql / var

Download and install the program chrootuid

Under (2) mysqld process running on a separate user / user group, this group of users and not the root, not Shell, can not be used for other programs;

(3) modify the MySQL root account and use a complex password;

mysql> use mysql;
mysql> update user set user = "xxxxx" where user = "root";
mysql> select Host, User, Password, Select_priv, Grant_priv from user;
mysql> delete from user where user = '';
mysql> delete from user where password = '';
mysql> delete from user where host = '%';
Modify an easy guess ID:

(4) allows only local connections MySQL, start MySQL Fi be disabled;

Plus --skip-networking startup parameter so that mysql does not listen to any tcp / ip connection, to increase security.
(5) ensure that nobody connected the MySQL account login is disabled;

(6) Remove test database.

mysql> drop database test;

(7) prohibits MySQL import local files. The following will be prohibited from using MySQL "LOAD DATA LOCAL INFILE" command. This command will use the MySQL database to read local files, then the user can illegally obtain sensitive information a. To disable the above command, the [mysqld] section /chroot/mysql/etc/my.cnf file and add the following statement:

set-variable = local-infile = 0, so we basically set up mysql security.
     
         
         
         
  More:      
 
- Using IntelliJ IDEA Import Spark Spark latest source code and compile the source code (Linux)
- Mount NFS network file system (Linux)
- nginx.conf Optimization (Server)
- To share Linux script automatically change passwords (Linux)
- Bash code injection attacks through a special environment variable (Linux)
- Singleton (Linux)
- High-performance JavaScript loops and flow control (Programming)
- DataGuard a hardware issue warnings found (Database)
- Python context managers (Programming)
- Linux, Oracle listen address modification (Database)
- Oracle 11g users to create, authorize and import dmp file (Database)
- jdbc Oracle database connection string writing pluggable (Database)
- Ubuntu install ruby (Linux)
- CentOS 5.11 Open VNC access (Linux)
- Command line tool Tmux (Linux)
- Linux SVN installation and configuration graphic tutorials (Server)
- Ubuntu Series Installation Docker (Linux)
- Monitoring services are running properly and will email alert (Server)
- To solve the Mac in question invalid BASH under configuration environment variable (Linux)
- DB2 table space is redirected to restore the database combat (Database)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.