Article catalog

1. Understand the harm of web attacks.

2. Share three common attacks and corresponding defense methods

1. Harm of Web attack.

What are the hazards of web attacks?
A minor attack may steal users' information from your website. Serious web attacks can delete the database, paralyze the website and so on.

2. Types of sharing attacks: sql injection, xss, csrf attacks

Here we share three attack types: sql injection, XSS attack and csrf attack

2.1 SQL injection
What is sql injection?
Originally, the user passed an id parameter. If we do not prevent it, sql injection will be generated.
for instance. When the user passes a uid parameter (user id), it usually appears and an integer is passed, such as 1

$uid = $_GET['uid'];//1
select * from member where id = $uid
This sql is OK.
If the hacker intentionally wears uid = '1 or 1=1'
Then select * from member where id = 1 or 1=1;
Will find out the information of all users. Here is a brief answer to an example. In fact, sql injection can cause more serious problems.

Share two defensive measures here

1. Transformation idea: strictly filter the parameters submitted by users.
For example, uid parameter, we perform shaping transformation$ uid = intval($_GET['uid']);//1 or 1=1 will be converted to 1.

In the framework, the method encapsulated by the framework is used to query. Don't write native queries yourself. The bottom layer of the framework will automatically filter parameters to prevent sql injection. If you want to write native statements in some scenarios, you must filter the parameters.

2. Use mysql's preprocessing mechanism (also known as parameterized query).
In fact, the fundamental problem of sql injection is that when mysql executes a statement, it returns data directly after executing an sql. In this way, sql injection will occur only if there is a problem with sql. If you take two apart.

  1.And one has sql Injected sql No, after preprocessing, it will be split into two statements sql Injected statement.
  2.You can also have a chance to mysql Checksum escape.
  For example, if the preprocessing of the first sentence is performed sql After(`id` = :ThinkBind_1_454319113_ )，mysql You know, if you check it id Field, so you the second sql The data must be a number. If it is not a number mysql Just throw the exception

Take thinkphp as an example.

  
  There's a problem with this sql，Split into two sql If it is executed alone, it will not appear sql Injection problem.

For example: select id, name from uf_member where id = 12052 or 1 = 1

//Split into the first:
  SELECT `id`,`name` FROM `uf_member` WHERE  `id` = :ThinkBind_1_454319113_

After the first one is executed, mysql will wait for your parameters to be passed in. At this time, the second sql (some parameters) will be passed in

//Article 2:
 array(1) {
  ["ThinkBind_1_454319113_"]=>
  array(2) {
    [0]=>
    string(14) "12052 or 1 = 1"
    [1]=>
    int(1)
  }

Even if there is an sql injection problem, running this sql parameter alone will not cause any harm.

Here are some demo code

//The version without preprocessing will be injected by sql
header('content-type:text/html;charset=utf-8');
$username=$_POST['username'];
$psw=$_POST['psw'];
try {
    $pdo=new PDO('mysql:host=localhost;dbname=test','root','root');
    $sql="select * from user where username='{$username}' and password='{$psw}'";
    $stmt=$pdo->query($sql);//Returns the number of rows in the result set echo 
    $stmt->rowCount();
} catch (Exception $e) {
    echo $e->getMessage();
}


//Preprocessing can prevent sql injection
header('content-type:text/html;charset=utf-8');
$username=$_POST['username'];
$psw=$_POST['psw']; 
try {  
    $pdo=new PDO('mysql:host=localhost;dbname=test','root','root');  
    $sql="select * from user where username=? and password=?";  
    $stmt=$pdo->prepare($sql);  
    $stmt->execute(array($username,$psw));  
    echo $stmt->rowCount(); 
} catch (Exception $e) {  
    echo $e->getMessage(); 
}

2.2 XSS(Cross Site Scripting) is abbreviated as CSS, but it will be confused with the abbreviation of Cascading Style Sheets (CSS). Therefore, it is generally called XSS.

Similar to sql injection, it is equivalent to html injection. Inject a script into the html submitted to the server.
XSS (Cross Site Scripting) is called Cross Site Scripting attack in Chinese. The focus of XSS is not cross site, but script execution.
The principle of XSS is that a malicious attacker will insert some malicious script code into a web page. When a user browses the page, the script code embedded in the web page will execute, which will achieve the purpose of malicious attack on the user. The main XSS attacks are classified as follows: reflective, storage, and DOM based. Reflective and DOM based can be classified It is a non persistent XSS attack. Storage type can be classified as persistent XSS attack.

For example, it's easy to understand
For example, the normal user name is Zhang Sanli Si. If the hacker sets the user name to "< script > while (true) alert (" this is xss ");} < / script >", the input box will pop up all the time when the browser displays the user name. There are more serious xss scripts that can invade the database, etc.

If there is no rich text editor, you can use the idea of transformation. The user can use the htmlspecialchars function to transform the data, which can prevent most xss attacks. In fact, this function can not completely prevent xss.