ほとんどのコード例は特定のプログラミング言語に関連付けられていませんが、わかりやすくするために、PHPを使用します。
行きましょう。
1. SQLインジェクションに対する保護
ユーザー名入力フォームを備えたWebサイトがあるとします。 データベース内の名前の存在を確認するには、次のコードを使用します。
$query = "SELECT * FROM `Users` WHERE UserName='" . $_POST["Username"]. "'";
mysql_query($query);
$_POST[«Username»] — .
Username
' or '1'='1
, :
SELECT * FROM `Users` WHERE UserName = '' OR '1'='1'
, , .
:
a';DROP TABLE `Users`; SELECT * FROM `userinfo` WHERE 't' = 't
:
SELECT * FROM `Users` WHERE `UserName` = 'a';DROP TABLE `Users`; SELECT * FROM `userinfo` WHERE 't' = 't'
SQL injection:
, . PHP MySQLi
$stmt = $db->prepare('update people set name = ? where id = ?');
$stmt->bind_param('si',$name,$id);
$stmt->execute();
- escaping
PHP mysql_real_escape_string, escape . :
$query = sprintf("SELECT * FROM `Users` WHERE UserName='%s'",
mysql_real_escape_string($_POST["Username"]));
mysql_query($query);
2. ross Site Scripting (XSS)
XSS , - , : , , . XSS - Javascript , , .
? , . . .
:
<form id="myFrom" action="showResults.php" method="post">
<div><textarea name="myText" rows="4" cols="30"></textarea><br />
<input type="submit" value="Submit" name="submit" /></div>
</form>
showResults.php:
echo("You typed this:");
echo($_POST['myText']);
, . :
, javascript . htmlentities() :
echo("You typed this:");
echo(htmlentities($_POST['myText']));
3. HTTPS
. , — HTTPS. - .
4.
-, . , .
public_html/files, mysecretdoc.pdf mysecurewebsite.com/files/mysecretdoc.pdf.
:
- c files ,
- .htaccess
5.
—
. (MD5+salt), , .
— , - . , .
— (-) RSA . .
— , Facebook, Twitter OpenID. .
6.
, , . , , . , .
, . , , .
PHP: ionCube, ZendGuard, SourceGuardian
: Thicket Obfuscator for PHP
7.
, , , .
. / . , .
MySQL.
delimiter |
CREATE TRIGGER insert_encrypt BEFORE INSERT ON cars
FOR EACH ROW BEGIN
SET NEW.Model = AES_ENCRYPT(NEW.Model,"my passphrase");
END;
|
delimiter |
CREATE TRIGGER update_encrypt BEFORE UPDATE ON cars
FOR EACH ROW BEGIN
SET NEW.Model = AES_ENCRYPT(NEW.Model,"my passphrase");
END;
|
SQL
SELECT
...
AES_DECRYPT(Model,"my passphrase"),
...
FROM carscars
. , . .
:
—
—
8. (PHP, shared server)
, , - .
PHP:
userName|s:5:"admin";accountNumber|s:9:"123456789";
:
—
— . PHP session_set_save_handler
9.
. .
, . PHP :
error_reporting(0);
@ini_set('display_errors', 0);
, , . PHP set_error_handler(). , set_error_handler().
10.
. , SSL MySQL PHP.
11. form spoofing
: example.com/edit_user.php?id=12345. 12345 . .
, GET POST . . , POST .
, . , .
, . - .
<input name="gender" type="radio" value="m" />Male
<input name="gender" type="radio" value="f" />Female
, m f, .
.
<input name="gender" type="text" value="m';DROP TABLE `Users`; ... " />
mysql_real_escape_string(), ( ).
:
substr($_POST['gender'],0,1)
12. Cross-site request forgery (CSRF)
XSS, . , Vasya , :
<img src="http://mysecurebank.com/withdraw?account=petya&amount=1000000&for=vasya" />
Petya,
http://mysecurebank.com/withdraw?account=petya&amount=1000000&for=vasya
, , Petya , , , .
— GET POST ( ). . :
<form id="f" action="http://mysecurebank.com/withdraw" method="post">
<input name="account" value="petya" />
<input name="amount" value="1000000" />
<input name="for" value="vasya" />
</form>
— . .
?
- HTTP . . , . .
- , . , (XmlHttpRequest ).
- ( ). — .
:
http://en.wikipedia.org/wiki/Cross-site_request_forgery
http://www.codinghorror.com/blog/2008/09/cross-site-request-forgeries-and-you.html
. . PHP (Yii, CakePHP, CodeIgniter, Zend, Symfony) (PHPRunner) . , , , . — .