Common security vulnerabilities in PHP applications include SQL injection, XSS, file upload vulnerabilities, and CSRF. 1. Preprocessing statements should be used to prevent SQL injection, avoid splicing SQL strings, and checksum filtering of inputs; 2. Prevent XSS from escaping content before output, setting appropriate HTTP headers, and not trusting any user input; 3. Prevent file upload vulnerabilities to check file types, rename and upload files, and prohibit uploading directories from executing scripts; 4. Prevent CSRF should use one-time tokens, check Referer and Origin headers, and use POST requests for sensitive operations. Security awareness should be strengthened during development and the built-in mechanism of the framework should be used reasonably to improve security.

PHP is still the underlying language for many web applications, especially in small and medium-sized websites. However, because of its wide application scope and many historical codes, PHP programs are more likely to become targets of attack. If you develop or maintain a PHP website, it is very necessary to understand common security vulnerabilities and how to prevent them.

Injection vulnerability (such as SQL injection)

Injection class vulnerabilities are one of the most common and dangerous problems in PHP applications. For example, SQL injection means that the user submits malicious SQL statements through input boxes, URL parameters, etc., trying to bypass the program logic and directly operate the database.

How to prevent it?

• Use Prepared Statements: Regardless of whether it is native PDO or MySQLi, parameterized queries are supported, which can effectively prevent SQL injection.
• Don't splice SQL strings: Many people are used to constructing SQL queries by splicing strings, which is a taboo.
• Checksum filtering of inputs: For example, the mailbox field must conform to the mailbox format, and the numeric field must be an integer.

For example, if the user enters ' OR '1'='1 , and you splice it directly into SQL:

 $query = "SELECT * FROM users WHERE username = '" . $_POST['username'] . "'";

That will become:

 SELECT * FROM users WHERE username = '' OR '1'='1'

This will make it possible to find all user data. So, don't spell SQL by yourself and be honest and practical to bind parameters.

XSS (cross-site scripting attack)

XSS refers to an attacker inserting a malicious script into a page. When other users browse the page, the script will be executed on their browser, thereby stealing cookies, hijacking sessions, etc.

How to prevent it?

• Escape content before output: Use htmlspecialchars() function to escape the content output to the HTML page.
• Setting appropriate HTTP headers: For example, setting the Content-Security-Policy header to limit the page to only load scripts from the specified source.
• Don't trust any user input: including forms, URL parameters, cookies, etc.

For example, if the user leaves a message <script>alert(&#39;xss&#39;)</script> is written. If you do not escape and display it directly, the person who visits the page will trigger the script. After being escaped with htmlspecialchars() , it will become normal text and will not be executed.

File upload vulnerability

PHP often needs to handle file upload function, but if the verification is not strict, it may be uploaded to Trojans, backdoor scripts, etc., which will lead to the server being trapped.

How to prevent it?

• Check file type in whitelist: Don’t just look at the extension, it’s best to judge by combining MIME type or reading file header.
• Rename upload file: Avoid users uploading .php or .phtml files and accessing them directly.
• The directory where uploaded files is stored prohibits execution of scripts: it can be implemented by configuring .htaccess (Apache) or Nginx rules.

For example, if a user uploads a file named image.php.jpg , some systems only detect the last extension, which is easily bypassed. The correct way is to strictly control the entire file name, or simply change the name to a random string.

CSRF (cross-site request forgery)

CSRF is an attacker inducing users to click on links and let them complete certain operations without knowing them, such as transferring money, deleting data, etc.

How to prevent it?

• Use one-time token: Generate a token before each important operation and verify it on the server side.
• Check the Referer and Origin headers: Although it cannot be fully relied on, it can add a layer of protection.
• Sensitive operations use POST requests: GET requests are more likely to be forged.

For example, if a link to delete an article is a GET request and there is no token verification, the attacker only needs to induce the user to access a picture link to complete the deletion operation.

These vulnerabilities are not uncommon, but problems that almost every PHP project faces. The key is to be safe during the development process and not write "fast code" in order to save trouble. Now many frameworks (such as Laravel) have built-in many protection mechanisms, but if developed manually, you have to do these details by yourself. Basically all this is not complicated but easy to ignore.

The above is the detailed content of Discuss common security vulnerabilities in php web applications and how to prevent them.. For more information, please follow other related articles on the PHP Chinese website!