| |
Php security injected through the above process, we can understand the principles and methods inject php, of course, we also can develop a prevention method phase should be:
The first is the security settings on the server, where the main security settings php + mysql security settings and linux host. Php + mysql injection for prevention, first magic_quotes_gpc is set to On, display_errors is set to Off, if id type, we use intval () function to convert it to an integer type, such as code:
$ Id = intval ($ id);
mysql_query = "select * from example where articieid = '$ id'"; or write: mysql_query ( "SELECT * FROM article WHERE articleid =" intval ($ id) ""..)
If it is filtered through a character addslashes () it, and then filtering "%" and "_" such as:
$ Search = addslashes ($ search);
$ Search = str_replace ( "_", "\ _", $ search);
$ Search = str_replace ( "%", "\%", $ search);
Of course, you can also add php code injection common defense:
// To filter illegal characters
$ ArrFiltrate = array ( " '", ";", "union");
After // error to jump to url, do not fill the default previous page
$ StrGoUrl = "";
// If value exists in an array
function FunStringExist ($ StrFiltrate, $ ArrFiltrate) {
foreach ($ ArrFiltrate as $ key => $ value) {
if (eregi ($ value, $ StrFiltrate)) {
return true;
}
}
return false;
}
// Combined $ _POST and $ _GET
if (function_exists (array_merge)) {
$ ArrPostAndGet = array_merge ($ HTTP_POST_VARS, $ HTTP_GET_VARS);
} Else {
foreach ($ HTTP_POST_VARS as $ key => $ value) {
$ ArrPostAndGet [] = $ value;
}
foreach ($ HTTP_GET_VARS as $ key => $ value) {
$ ArrPostAndGet [] = $ value;
}
}
// Start verification
foreach ($ ArrPostAndGet as $ key => $ value) {
if (FunStringExist ($ value, $ ArrFiltrate)) {
echo "alert (/" Neeao prompt illegal character / ");";
if (empty ($ StrGoUrl)) {
echo "history.go (-1);";
} Else {
echo "window.location = /" "$ StrGoUrl" / ";..";
}
exit;
}
}
?>
Also the administrator user name and password are taken md5 encryption, so that we can effectively prevent php injection.
There are a number of server and mysql should strengthen security.
For linux server security settings:
Encrypted passwords, use the "/ usr / sbin / authconfig" tool to open the shadow password function for password encryption.
Prohibit access to important documents, enter linux command interface, enter at the prompt:
#chmod 600 /etc/inetd.conf // change file attributes 600
#chattr + I /etc/inetd.conf // ensure that the file owner is root
#chattr -I /etc/inetd.conf // do limit the file changes
Prohibit any user su command to change the root user
Add at the beginning of the configuration file that is su /etc/pam.d/ directory the following two lines:
Auth sufficient /lib/security/pam_rootok.so debug
Auth required /lib/security/pam_whell.so group = wheel
Delete all of the special account
#userdel lp delete users, etc.
#groupdel lp etc. Delete Group
Prohibiting the use of suid / sgid program
#find / -type f \ (- perm -04000 - o -perm -02000 \) \ -execls -lg {} \;
Mysql security settings:
mySQL running in a separate (Chroot) environment;
#mkdir -p / chroot / mysql / dev
#mkdir -p / chroot / mysql / etc
#mkdir -p / chroot / mysql / tmp
#mkdir -p / chroot / mysql / var / tmp
#mkdir -p / chroot / mysql / usr / local / mysql / libexec
#mkdir -p / chroot / mysql / usr / local / mysql / share / mysql / english
Create the directory structure above, then set the directory permissions:
#chown -R root: sys / chroot / mysql
#chmod -R 755 / chroot / mysql
#chmod 1777 / chroot / mysql / tmp
Programs and files are copied to the chroot under mysql under
#cp -p / usr / local / mysql / libexec / mysqld / chroot / mysql / usr / local / mysql / libexec /
#cp -p /usr/local/mysql/share/mysql/english/errmsg.sys
/ Chroot / mysql / usr / local / mysql / share / mysql / english /
#cp -p / etc / hosts / chroot / mysql / etc /
#cp -p /etc/host.conf / chroot / mysql / etc /
#cp -p /etc/resolv.conf / chroot / mysql / etc /
#cp -p / etc / group / chroot / mysql / etc /
#cp -p / etc / passwd / chroot / mysql / etc / passwd
#cp -p /etc/my.cnf / chroot / mysql / etc /
passwd file and the group file editor for chroot
#vi / chroot / etc / passwd
#vi / chroot / etc / group open group file, delete the addition mysql, root of all rows
Mysql database copy files to your chroot
#cp -R / usr / local / mysql / var / / chroot / mysql / usr / local / mysql / var
#chown -R mysql: mysql / chroot / mysql / usr / local / mysql / var
Download and install the program chrootuid
Under (2) mysqld process running on a separate user / user group, this group of users and not the root, not Shell, can not be used for other programs;
(3) modify the MySQL root account and use a complex password;
mysql> use mysql;
mysql> update user set user = "xxxxx" where user = "root";
mysql> select Host, User, Password, Select_priv, Grant_priv from user;
mysql> delete from user where user = '';
mysql> delete from user where password = '';
mysql> delete from user where host = '%';
Modify an easy guess ID:
(4) allows only local connections MySQL, start MySQL Fi be disabled;
Plus --skip-networking startup parameter so that mysql does not listen to any tcp / ip connection, to increase security.
(5) ensure that nobody connected the MySQL account login is disabled;
(6) Remove test database.
mysql> drop database test;
(7) prohibits MySQL import local files. The following will be prohibited from using MySQL "LOAD DATA LOCAL INFILE" command. This command will use the MySQL database to read local files, then the user can illegally obtain sensitive information a. To disable the above command, the [mysqld] section /chroot/mysql/etc/my.cnf file and add the following statement:
set-variable = local-infile = 0, so we basically set up mysql security. |
|
|
|