In daily development, security has always been one of the key contents we want to study. In security, the most important point is our input data. All attacks and ultra vires occur from a inadvertently left request vulnerability. Of course, many frameworks have solved most of the security problems for us, but there are always unexpected places where we forget to add filtering or omit some verification. The extension we want to learn today was born to solve this problem.
What is Taint
We got it in the last article. We also want to introduce an extension tool of brother bird. Taint is one of the works of brother bird's great God. However, this extension is not recommended to be installed in the production environment. Its main battlefield is to use it in our test environment. Its main function is if we use unprocessed$_ GET , $_ POST , $_ For variables such as COOKIE, a warning message will be reported. Note that this is a warning, not an error or exception. Generally, in the online environment, we will habitually turn off the error reporting of warning information, so the online function of this extension is limited.
The installation of the extension is very simple. You can download the corresponding extension and then install the ordinary extension without the support of other components in the operating system. For details of this extension, please refer to the description of brother bird article in the second link at the end of the article.
How to use it?
php.ini, and then set taint enable = 1 . This extension is officially enabled. Then we test through the code.
$a = $_GET['a'];
$file_name = '/tmp' . $a;
$output = "Welcome, {$a} !!!";
$var = "output";
$sql = "Select * from " . $a;
echo $a, "<br/>"; // Warning: main() [echo]: Attempt to echo a string that might be tainted in /data/www/blog/taint/1.php on line 10
echo $output, "<br/>"; // Warning: main() [echo]: Attempt to echo a string that might be tainted in /data/www/blog/taint/1.php on line 12
print $$var; echo "<br/>"; // Warning: main() [print]: Attempt to print a string that might be tainted in /data/www/blog/taint/1.php on line 14
include($file_name);echo "<br/>"; // Warning: main() [include]: File path contains data that might be tainted in /data/www/blog/taint/1.php on line 16
mysqli_query(null, $sql);echo "<br/>"; // Warning: main() [mysqli_query]: SQL statement contains data that might be tainted in /data/www/blog/taint/1.php on line 18We use php -S to debug the test file. After accessing the test file and taking the a parameter, we can see that the following operations will report warnings. The unfiltered $a, whether spliced into a string or as a variable, is only through echo, print, include or mysqli_ After the query() function is called, an alarm will appear immediately, reminding you that the data string you use needs to be filtered. taint means stain. May be tainted means having tainted content.
Most functions such as output or database operation will report these warnings. The specific information of these contents can be found in the official documents.
We can also verify whether a variable contains such unprocessed data through a judgment function.
var_dump(is_tainted($var)); // bool(false) echo "<br/>"; var_dump(is_tainted($output)); // bool(true) echo "<br/>";
Why not call the police?
How not to let it call the police? That is, of course, data processing.
$output = "Welcome, ".htmlentities($a)." !!!"; echo $output, "<br/>"; $sql = "Select * from " . mysqli_escape_string(null, $a); mysqli_query(null, $sql);echo "<br/>";
When outputting html code, it corresponds to the prevention of XSS attack. During database operation, escape the SQL injection attack. After using these processing functions for data security processing, there will be no alarm information.
It can be seen that this extension is really a good helper in our daily development and debugging, especially in the test environment. As mentioned earlier, there will always be omissions and forgets. Making the program automatically discover these contents through this extension can greatly improve the security of our development.
Detection and conversion function
Finally, in the Taint extension, two functions are provided to enforce and remove warnings. Of course, they are also convenient for debugging in the test environment.
$newOutput = "Welcome !!!";
echo $newOutput, "<br/>";
var_dump(taint($newOutput)); // bool(true)
echo $newOutput, "<br/>"; // // Warning: main() [echo]: Attempt to echo a string that might be tainted in /data/www/blog/taint/1.php on line 39
$newOutput = "Welcome {$a} !!!";
echo $newOutput, "<br/>"; // Warning: main() [echo]: Attempt to echo a string that might be tainted in /data/www/blog/taint/1.php on line 42
var_dump(untaint($newOutput)); // bool(true)
echo $newOutput, "<br/>";The taint() function can make a normal statement report a warning. However, infinite () can make a data that should be alarmed not alarmed.
summary
It is also a very small expansion, but it is really useful after learning, and it is especially suitable to provide you with an alarm system for comprehensively detecting safety and quality in our test environment. As the article has always emphasized, omission is inevitable for medium and large-scale project development. Even if there is a perfect code review mechanism, there will always be loopholes that everyone misses. It's the best way to test through procedures. You can try more.
Test code:
Reference documents: