Xiaodi security Web security PHP development - day 14 - personal blog project & input / output class & message board & access IP&UA header

Posted by Joshua4550 on Thu, 06 Jan 2022 01:36:44 +0100

1, Input / output class

(1) PHP realizes search and query function

1. After obtaining the data input by users, the website connects to the database to retrieve the information input by users, and then returns the search results to users, so as to realize the function of search and query.

2. Code example

(1) index home page, search box

<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8">
        <title>php Search query</title>
    </head>
    <body>
        <ul>
            <li><a href="search.php">Access query</a></li>
        </ul>
        <p>
            <form id="form1" action="search.php" method="POST">
                <label for="search">Content search</label>
                <input type="search" name="search" id="search" />
            </form>
        </P>
    </body>
</html>
(2) config/conn.php database connection configuration file
<?php
#Set parameters
$servername = "localhost";
$username = "root";
$password = "root";
$database = "mysql";
#Create connection
$conn = mysqli_connect($servername, $username, $password,$database);
#Check connection
if(!$conn){
    die("Connection failed:" . mysqli_connect_error());
}
$db_select = mysqli_select_db($conn,'mysql');
if(!$db_select){
    die("Connection failed:" . mysqli_connect_error());
}
#echo "connection succeeded!";
?>
(3) The search.php file handles the data entered by the user
<?php
include('config/conn.php');
$s = $_POST['search'];
$sql = "SELECT * FROM engine_cost WHERE cost_name LIKE '%$s%'";
$result = mysqli_query($conn,$sql);
#Detect query errors
if (!$result) {
    printf("Error: %s\n", mysqli_error($conn));
    exit();
}
echo 'You searched for:'. "$s" . 'The results are as follows:';
#Output search results
while($row = mysqli_fetch_array($result,MYSQLI_ASSOC)){
    echo '<br><br><br>';
    echo $row['engine_name'] . '<br>';
    echo $row['device_type'] . '<br>';
    echo $row['cost_name'] . '<br>';
}
?>
(2) Vulnerability of search query interface

1. Because it is necessary to connect the data entered by the user to the database for query, and then return the query results to the user, SQL injection is easy to occur.

2. If the input filtering in the search box is not handled properly, it is easy to cause XSS cross site vulnerability, the user input code will be executed, and the user can steal website cookie s through XSS cross site attack.

2, Message board

(1) PHP realizes message function

1. Functions of message board:

(1) Content before loading

(2) Submit a message

(3) After submitting the message, it will be loaded

(4) The message content will be stored in the database.

2. Code example

(1) Front end main page

<html>
<head>
    <meta charset=""utf-8">
    <title>php Message Board</title>
</head>
<body>
<h1>Message Board</h1>
<form id="form2" action="liuyan.php" name="form2" method="post">
    <p>
        <label for="textfield1">account number:</label>
        <input type="text" name="account" id="account">
    </p>
    <p>
        <label for="textfield2">Nickname?</label>
        <input type="text" name="name" id="name">
    </p>
    <p>
        <label for="textfield3">Email:</label>
        <input type="text" name="mail" id="mail">
    </p>
    <p>
        <label for="textarea">Text content</label>
        <textarea name="content" id="content"></textarea>
    </p>
    <p>
        <input type="submit" name="submit" id="submit" value="Submit">
    </p>
</form>
<p>
<hr>
</p>
<p>Message content:</p>
<hr>
<p> </p>
</body>
</html>
(2) The back-end liuyan.php file processes the data submitted by the user
<?php
#Set php encoding format
header("Content-type:text/html;Charset=utf-8");
include('config/conn.php');
$a = $_POST['account'];
$n = $_POST['name'];
$m = $_POST['mail'];
$c = $_POST['content'];
#Test message input display
#echo 'ID: ' . $ a . ',  Nickname: ''$ n . ',  Mailbox: ''$ m . ',  Content: '$ c . '< br>';
#Insert message into database
$sql1 = "INSERT INTO 'liu_yan_ban'(account,name,mail,content) VALUES('$a','$n','$m','$c');";
mysqli_query($conn,$sql1);
#If the ID is empty, the statement is not executed
/*
if(!empty($i)){
    $sql1 = "INSERT INTO 'liu_yan_ban'(account,name,mail,content) VALUES('$a','$n','$m','$c');";
    mysqli_query($conn,$sql1);
}*/
#Display the message content saved to the database
$sql2 = "SELECT * FROM liu_yan_ban";
$result = mysqli_query($conn,$sql2);
#Check for query errors
if (!$result) {
    printf("Error: %s\n", mysqli_error($conn));
    exit();
}
while($row = mysqli_fetch_array($result,MYSQLI_ASSOC)){
    echo '<br>';
    echo 'account number:' . $row['account'] . '<br>';
    echo 'Nickname?' . $row['name'] . '<br>';
    echo 'Email:' . $row['mail'] . '<br>';
    echo 'Content:' . $row['content'] . '<br>';
}
?>
(3) config/conn.php file
<?php
#Set parameters
$servername = "localhost";
$username = "root";
$password = "root";
$database = "liu_yan_ban";
#Create connection
$conn = mysqli_connect($servername, $username, $password,$database);
#Check connection
if(!$conn){
    die("Connection failed:" . mysqli_connect_error());
}
$db_select = mysqli_select_db($conn,'liu_yan_ban');
if(!$db_select){
    die("Connection failed:" . mysqli_connect_error());
}
#echo "connection succeeded!";
?>
(2) Vulnerable vulnerabilities

1. Because the user input and output data such as messages, comments and private letters will be stored in the database, if the site does not handle the user data properly, it is prone to storage type cross site attacks.

(3) Ideas for discovering this type of vulnerability

1. Code audit.

2. Look for places where users can control the output of the page.

3, PHP global variables$_ SERVER

1 , $_ The SERVER global variable can be used to obtain browser, IP address, device system and other information.

4, CSRF Cross Site Request Forgery

(1) Overview

1. The attacker knows the habits of an administrator and can implant JS code web pages on a platform that the administrator likes to browse, so as to obtain the website information managed by the administrator.

2. The administrator accessing the platform will trigger the code

3. Because the administrator browser can log in to the website directly, the attacker can obtain the website management permission.

(2) Prevention methods

1. Managed websites: detect sources, filter attacks.

V$_ SERVER details

$_ SERVER ['HTTP_ACCEPT_LANGUAGE'] / / browser language
$_ SERVER ['REMOTE_ADDR'] / / current user IP.  
$_ SERVER ['REMOTE_HOST'] / / host name of the current user
$_SERVER['REQUEST_URI'] //URL

$_ SERVER ['REMOTE_PORT'] / / port.  
$_ SERVER ['SERVER_NAME'] / / the name of the SERVER host.  
$_ SERVER ['PHP_SELF'] / / the file name of the script being executed
$_ SERVER ['argv'] / / parameters passed to the script.  
$_ SERVER ['argc '] / / the number of command line parameters passed to the program.  
$_ SERVER ['GATEWAY_INTERFACE'] / / version of CGI specification.  
$_ SERVER ['SERVER_SOFTWARE'] / / string of SERVER identification
$_ SERVER ['SERVER_PROTOCOL'] / / the name and version of the communication protocol when requesting a page
$_ SERVER ['REQUEST_METHOD'] / / request method when accessing a page
$_ SERVER ['QUERY_STRING'] / / query the string.  
$_ SERVER ['DOCUMENT_ROOT'] / / the root directory of the document where the currently running script is located
$_ SERVER ['HTTP_ACCEPT'] / / the content of the Accept: header of the current request.  
$_ SERVER ['HTTP_ACCEPT_CHARSET'] / / the content of the accept charset: header of the current request.  
$_ SERVER ['HTTP_ACCEPT_ENCODING'] / / the content of the accept encoding: header of the current request
$_ SERVER ['HTTP_CONNECTION'] / / the content of the Connection: header of the current request. For example: "keep alive".  
$_ SERVER ['HTTP_HOST'] / / the content of the Host: header of the current request.  
$_ SERVER ['http_reference'] / / link to the URL address of the previous page of the current page.  
$_ SERVER ['HTTP_USER_AGENT'] / / the user of the current request_ Agent: the content of the header.  
$_ SERVER ['HTTPS'] / / if accessed through HTTPS, it is set to a non empty value (on), otherwise it returns off
$_ SERVER ['SCRIPT_FILENAME'] # the absolute pathname of the currently executing script.  
$_ SERVER ['SERVER_ADMIN'] # administrator information
$_ SERVER ['SERVER_PORT'] # port used by the SERVER
$_ SERVER ['SERVER_SIGNATURE'] # contains a string of SERVER version and virtual host name.  
$_ SERVER ['PATH_TRANSLATED'] # the basic path of the file system where the current script is located (not the document root directory)
$_ SERVER ['SCRIPT_NAME'] # contains the path of the current script. This is useful when the page needs to point to itself.  
$_ SERVER ['PHP_AUTH_USER'] # when PHP is running in Apache module mode and using HTTP authentication function, this variable is the user name entered by the user.  
$_ SERVER ['PHP_AUTH_PW'] # when PHP is running in Apache module mode and using HTTP authentication function, this variable is the password entered by the user.  
$_ SERVER ['AUTH_TYPE '] # when PHP is running in Apache module mode and using HTTP authentication function, this variable is the type of authentication

Topics: PHP Database MySQL Web Security