A person who has learned PHP can easily understand the above code, but why do I use it for analysis? Because during my study PHP, I read a lot of program code and found that there is a very common problem, that is, most programs are not rigorous enough to check the data from the form. This is probably a problem with programmers' thinking, because these security measures are easy to implement.
For a simple comment function, let's assume that it has two places that require the user to fill in: the commenter's name and the comment content. So, what we need to judge is as follows:
Is the form empty?
l �
l �
l Filtering of hidden variables (if any, note that the above form has a hidden variable type="hidden", which is often easily overlooked)
l �
Many people have done logical judgments, but this only solves the logic problem of the program. As a safe program, we also need to make judgments from a security perspective. A program that has not undergone security checks is most vulnerable to the following attacks:
l Modify hidden variables for illegal submission (such as injection)
l �
Editor's note: The attacks caused by repeated submissions are indeed a very annoying problem. Although this method is not technical, it will cause the administrator to worry about it, so it is very necessary to prevent it when writing code.
Modifying hidden variables is usually to construct a form locally and then specify hidden variables. If the filtering is not in place, directly construct:
1' or 1=1 UNION Select * FROM any_table INTO OUTFILE 'c:/www/
Then submit it, needless to say what the result will be?
If you use POST to submit the form and refresh it, a prompt will appear, and then you can make sure that you can submit it repeatedly. This can waste the server's resources. If the amount is large, the site speed may be slightly affected, especially search engines with large data volumes. This is the result of the small form not being securely filtered. I believe that no site administrator wants to see it, right? So we have to defend. The defense ideas are as follows:
For hidden variables we can use filtering, for repeated submissions we can:
l Use cookies/session to judge the submission time interval;
l Before submitting, use strlen() function to determine whether the title and content to be submitted are consistent with what is already in the database;
l Use Header("Location: url") after completing the submission; jump to other pages
Below we will analyze the above if code segment. For the defense code against the modification and change attack, you can see my comments on the code. I have the following views on the two methods of judging the submission time interval using cookie/session:
Cookie: The information exists on the client. The tool can be used to modify and delete the cookie to invalidate it because it is sent continuously and the interval between the cookie is very short. There is no hurry to delete the cookie. But it is not ruled out that you can write a small program to delete cookies. If you are not satisfied with cookies, you can use Session.
Session: The information is stored on the server, and the attacker cannot modify it, but it will occupy a little resource on the server. My server is good, I will use Session, don't worry :).
Let’s take a look at the codes that are verified in these two ways:
Cookie:
Program code
<?php
if (isset($_COOKIE['beforeid'])) {
error("Sorry, the interval between your two submissions is less than 2 minutes<br>");
} else {
//First check whether the relevant cookie exists. If it already exists, it will give an error message. If it does not exist, it will be executed correctly, such as inserting an Insert statement. After execution, set a cookie to indicate that it has been submitted, and 60*2 means 2 minutes.
setcookie("beforeid",$blogid,time()+60*2,"/","",0);
succeed("Comment submission successful<br>"); }
?>
Session:
Program code
<?php
session_start();
if (session_is_registered("time") && time()-$_SESSION['time']<60*2) {
error("Sorry, the interval between your two submissions is less than 2 minutes<br>");
//$time The time of previous submission
} else {
//First check whether the relevant session exists. If it already exists, it will give an error message. If it does not exist, it will be executed correctly, such as inserting an Insert statement. After execution, set up a session to indicate that it has been submitted, and 60*2 means 2 minutes.
$time=time();
session_register("time");
succeed("Comment submission successful<br>");
}
?>
This time interval method can be used for various forms, such as searches, messages, etc., which can effectively control the orderly operation of the program.
As for the third idea, you should use Header("Location: url"); to jump to the page. I think since I have added cookie/session verification, there is no need to jump rashly. After all, everyone still wants to see the relevant information submitted.
How about it? I never thought that there is such a great knowledge of small form verification, right? A few simple lines of code cut off the attacker's path. In fact, these are all very easy. What is important is the developer's verification idea. I can only add cookie/session to verify this idea. Combined with Envymask's idea of judging length, I have mastered it a little more. In fact, the idea of security measures is very important when developing safe programs. Even if you master various defense codes, if you are not rigorous in your consideration, you still have room to take advantage of.
I have just learned PHP for less than half a month. The code I wrote was not standardized and rigorous enough, so I showed off my skills in front of all the experts.
Postscript: A small program has reflected some common security problems. In the process of writing security code, it is far from enough to pay attention to the above problems, but many major script vulnerabilities are caused by such minor problems. As you can usually see, after a vulnerability occurs in a script program, a sentence of code can often be used to make up for the relevant vulnerabilities very strictly. Script attack and defense are a contest between wise men, but wise men will make mistakes when they think about it. Therefore, compared with attacks, it is particularly difficult to prevent them without leaking.