dangerousphpinfo
phpinfo 时间:2021-01-11 阅读:()
Index327SpecialCharactersandNumbers$$keyconstruct,21$adminflag,20$auth->isAdmin()method,19$clientvariable,123$commandstring,74$commandvariable,309$consolevariable,287$_COOKIEarray,203$_COOKIEvariable,94$cts*variable,285$datavariable,112$dbPasswordvariable,60$filenamevariable,85$_FILESarray,157$_FILES['userfile']['error']variable,89$_GETvariables,28,55,94,97,99–101,151,193–194$hostkeyvariable,285$http_response_headervariable,277$kexvariable,285$noncevariable,123$outputvariable,309$_POSTarray,157$_POSTvariable,28,50,55,103,129,151,193$productidvariable,202–203$queryvariable,34,39$recursiveflag,152$requestvariable,276$rsyncvariable,309$_SERVER['REQUEST_METHOD']variable,112$_SESSIONvariable,94$_SESSION['showDeleted']variable,167$stc*variable,286$targetvariable,125$tempFilenamevariable,86$testvariable,94$variablenotation,PHP,59$varietyvariable,33$wordsvariable,65$yearvariable,21–23%0d%0avalue,202%nnscheme,262>&1command,3093DES,234Aabsolutesecurity,asimpossible,4abstractionlayerwithexternallibraries,42forSQLinjection,39abusepreventingintemporaryfiles,84–89checkinguploadedfiles,89makinglocationsdifficult,84–87makingpermissionsrestrictive,87–88readingfromknownfilesonly,89writingtoknownfilesonly,88–89sessions,96–104codeabstraction,102fixation,99INDEX328ineffectivesolutions,102–104networkeavesdropping,97andphishing,98regeneratingidsforuserswithchangedstatus,101–102reverseproxies,99usingcookiesinsteadof$_GETvariables,100–101usingsecuresocketslayer,100usingsessiontimeouts,101ofstorage,5ofuserauthentication,134–135griefersandtrolls,135scammers,134–135spammers,134ACCEPTparameter,105accesscontrolforwebapplications,140–154RBACandactions,151administrativerequirementsfor,152anonymousrole,149assigningroles,151–152assignRolesuserinterfacefor,154authorrole,149checkingbadges,154editorrole,148locationaccess,150–151manageRolesuserinterfacefor,152–154memberrole,148overview,144–146photographerrole,149roleobject,147–148specialrolenames,149–150strategiesfor,141–144addingcontentsharing,144separateinterfaces,141–142usergroups,143–144usertypes,142–143accessinglocations,143accountability,155actions,addingconfirmationdialogboxesto,161–164addEntry()method,197addslashes()function,26,39,67,77–78Adleman,Leonard,236adminLockcolumn,161adminLockflag,161AES(AdvancedEncryptionStandard),235AIattackscripts,130algorithms,233–240asymmetricalgorithms,236Diffie-Hellman-MerkleKeyExchange,236RSA,236base64,239–240emailencryption,237–238PGPPrettyGoodandGnuPG,237S/MIME,237–238strengthof,232–233symmetric,234–2363DES(orTriple-DES),234AES,235Blowfish,235RC4,235–236XOR,240allMoviestable,166ALTERTABLEquery,168alternatives,toPHPSafeMode,219–220anonymizingproxies,133anonymousrole,RBAC,149Apacheserver,keepingeasilyupdatable,321–322Apachevirtualhostconfiguration,302–303apiKeyparameter,108script,46applicationlogs,155applicationsite,toremotesite,47arbitrarilycomplex,196archivemode,309assigningpermissionstoroles,usingcheckboxes,153roles,144–146users,togroups,143asymmetricalgorithms,236Diffie-Hellman-MerkleKeyExchange,236RSA,236attacks,4–9automated,6–7human,5–6INDEX329informationprovidedtousers,8againstserveroperation,8–9SQLinjection,36usersprovidinginformation,4audiocaptchas,120authenticatingRESTrequests,108AuthenticationLayer,283AuthenticationLayer,SSH,283authorrole,RBAC,149authorize()method,286,290authorized_keysfile,285authorizingRESTrequests,108automatedattacks,6–7automateduserinput,7awardingbadges,tousers,146–147Bbackgroundattribute,50backingup,databases,300backupDatabase.
phpfile,312backups,228badgesawardingtousers,146–147forRBAC,checking,154base64,239–240batchprocessing,triggering,188–192batchprocessor,181blanketpermissions,146blockingmode,277blocks,241Blowfish,235Booleanvalues,checkingforuserinput,23botnets,133tag,56CcachingandRPCs,200–201CAPTCHA(CompletelyAutomatedPublicTuringTesttotellComputersandHumansApart),117–131attacksonchallenges,129creatingtestsusingPHP,122–129checkinguserresponse,128–129externalwebservices,122–124generatingimages,125–127placingcaptchaimagesinform,128randomchallenge,124–125kindsofaudio,120cognitive,121textimage,118–120problemsinusing,130–131AIattackscripts,130hijacking,130timeandmemory,130unreadable,130–131userdifficulties,131captchaCheck.
phpfile,128captchaForm.
phpfile,128captchaGenerate.
phpfile,124CAs(CertificateAuthorities),140,270–271CBC(CipherBlockChainingmode),243certificate()method,252,255,259CertificateAuthorities(CAs),140,270–271CertificateRevocationList(CRL),272certificates,forSSL,268–273CAsfor,270–271chainof,272revocationlistfor,272–273CFB(CipherFeedbackmode),242changedfield,moviesVersionstable,169checkboxes,usingtoassignpermissionstoroles,153checkCaptchaInput.
phpfile,123checkingbadges,RBAC,154chgrp()function,214CHLDsignal,183chmod()function,214chmodcommand,66,210–212chmod/sbin700command,179chmod/usr/sbin700command,179chown()function,214chownoperation,180chrootcommand,214CipherBlockChainingmode(CBC),243CipherFeedbackmode(CFB),242Class1Certificates,140Class2Certificates,140INDEX330Class3Certificates,140close_notifyindicator,277codeabstraction,102cognitivecaptchas,121commands,userinputwithunexpected,18communications,usingSSLtoencrypt,109compilingconfigurationscripts,299–300CompletelyAutomatedPublicTuringTesttotellComputersandHumansApart.
SeeCAPTCHAConcurrentVersionsSystem(CVS),304configurationscripts,compiling,299–300confirmationdialogboxes,addingtoactions,161–164confirmDelete.
phpfile,163connect()method,286–288ConnectionLayer,283ConnectionLayer,SSH,283construct()method,252Content-Lengthspecification,204Content-Typeheader,65cookies,versus$_GETvariables,100–101cookies.
phpscript,48corruption,preventing,160–164addingconfirmationdialogboxestoactions,161–164addinglockedflagstotables,161create-retrieve-update-delete(CRUD),105createSHA1Tempfile.
phpfile,86createUniqidTempfile.
phpfile,86createVersionedBackup.
phpfile,171CRL(CertificateRevocationList),272cronutility,175crontab-ecommand,313crontabfile,191crontabs,defined,189cross-sitescripting.
SeeXSSCRUD(create-retrieve-update-delete),105cryptography,244–259asymmetricencryptioninPHP,249–259protectingpasswords,244–247protectingsensitivedata,248–249RSAandOpenSSLfunctions,249–259CVS(ConcurrentVersionsSystem),304CVSignoremode,309DDaemen,Joan,235daemondefined,181PHP,182dangerous.
html,204dataprotecting,248–249verifyingimportantorat-risk,260–266usingdigests,260–265usingsignatures,265–266dataformatcheckingforuserinput,24validating,24–25datalength,checkingforuserinput,24dataloss,159–175avoidingrecorddeletion,164–167addingdeletedflagstotables,164–165creatingless-privilegeddatabaseusers,165enforcingdeletedfieldinSELECTqueries,165–166providingundeleteinterfaces,167usingseparatetabletohidedeletedrecords,166–167usingviewtohidedeletedrecords,166creatingversioneddatabasefilestore,170–175garbagecollection,172–174othermeansofversioningfiles,174realisticPHPversioningsystem,171–172VersionControlsystems,174WebDAVwithVersioning,174–175preventingaccidentalcorruption,160–164addingconfirmationdialogboxestoactions,161–164addinglockedflagstotables,161versioning,167–170datatype,checkingforuserinput,22–24Booleanvalues,23numbers,22–23strings,22databasefilestore,versioned,170–175garbagecollection,172–174othermeansofversioningfiles,174INDEX331realisticPHPversioningsystem,171–172VersionControlsystems,174WebDAVwithVersioning,174–175databaseflag,182databasequeries,anduserinput,29databaseusers,creating,165databasesresource-intensivesystemoperationsusing,185–188securing,221–228databasefilesystempermissions,222–223globaloptionfiles,223MySQLaccounts,224–228optionfiles,223server-specificoptionfiles,223user-specificoptionfiles,223–224settingpermissionsfor,asaggressive,299date()syntax,PHP,156dateandtime,oflogrecord,156datecommand,313datetimetype,168DAV(DistributedAuthoringandVersioning),174Davis,Don,240decrypt()method,253,257defamation,5defenses,layered,11delete()method,289deletefield,18DELETEinstruction,36,167DELETEprivilege,165DELETEquery,161,164DELETErequest,105DELETEstatement,224,228deletevariable,18delete-afterswitch,309deletedfields,enforcinginSELECTqueries,165–166deletedflags,addingtotables,164–165deleteOldVersions.
phpfile,172demarcatingvaluesinqueries,37–38DenialofService(DoS),9,199detetimetype,169DevelopersProgram,eBay,198development,maintainingseparatefromproductionenvironment,303–314effectiveproductionserversecurity,306–314reasonsforseparation,305–306/dev/randomdevice,241,243/dev/urandomdevice,241DHCP(DynamicHostConfigurationProtocol),98Diffie,Whitfield,236Diffie-Hellman-MerkleKeyExchange,236digests,260–265digitalPersonalCertificate,140DigitalSignatureAlgorithm(DSA),239digitalsignature,usingforuserauthentication,140disable_classesdirective,220disable_functionsdirective,67,220diskquotas,inUnix,216display_errors(0)instruction,30display_errorsdirective,30DistributedAuthoringandVersioning(DAV),174distributingupdates,usinggoldserverfor,324–325DNS(DomainNameSystem),9DoS(DenialofService),9,199drag-and-dropinterfaces,153dropfolder,resource-intensivesystemoperationsusing,184–185DROPTABLESprivilege,227DSA(DigitalSignatureAlgorithm),239ducommand,216DynamicHostConfigurationProtocol(DHCP),98EECB(ElectronicCodebookmode),241–242echopackets,ICMP,179editinterface,144editorrole,RBAC,148ElectronicCodebookmode(ECB),241–242email,encryptionof,237–238PGPandGnuPG,237S/MIME,237–238INDEX332emailaddressesuserinputcontaining,28–29usingforuserauthentication,135–139script,46enable-memory-limitconfigurationswitch,217enable-pcntloption,182enable-sharedswitch,318enable-shmopdirective,182encodeDemo.
phpfile,52encodingHTMLentities,52encrypt()method,253,256–258encryption,229–266algorithms,233–240asymmetric,236base64,239–240emailencryption,237–238symmetric,234–236XOR,240appliedcryptography,244–259asymmetricencryptioninPHP,249–259protectingpasswords,244–247protectingsensitivedata,248–249hashfunctionsDSA,239MD5,238SHA-256,238–239vs.
hashing,229–233algorithmstrength,232–233passwordstrength,233IV,243modes,241–243CBC,243CFB,242ECB,241–242OFB,242randomnumbers,240–241streamsandblocks,241USgovernmentrestrictionsonexportingencryptionalgorithms,243verifyingimportantorat-riskdata,260–266usingdigests,260–265usingsignatures,265–266ENT_QUOTESparameter,52ENUMcolumn,164error_log()function,PHP,157error_reporting(0)instruction,30error_reportingdirective,30escapeDemo.
phpfile,56escapeshellarg()function,30,71,73,191escapeShellArgDemo.
phpscript,71,73–74escapeshellcmd()function,71,73–74escapeShellCmdDemo.
phpfile,73escapingquestionablecharactersinqueries,39/etcdirectory,264–265etc-indexfile,264/etc/my.
cnffile,223/etc/sudoersfile,178eval()function,sanitizinginputto,66–71exec()function,59,63executepermission,209–210execution,83exit()method,256exportingencryptionalgorithms,USgovernmentrestrictionson,243externalwebservices,122–124EZ-Gimpycaptcha,119Ffeatures,ofPHPSafeMode,218–219Ferguson,Niels,229fgets()function,125filepaths,userinputcontaining,27–28file_get_contents()function,28,78,113,198,289file_put_contents()function,60,289file_puts()function,PHP,157file_uploadsdirective,217fileDataclass,261–263filemtime()function,174filesreadingfromknownonly,89uploaded,checking,89versioning,174writingtoknownonly,88–89filesystem,fillingout,302filesystempermissions,222–223Filesystem-likepermissions,151filterURIDemo.
phpfile,53INDEX333financialtransactions,verifyingidentitywith,139FIRSTkeyword,168fixation,99flock()function,297FLUSHPRIVILEGESstatement,224–225tag,66fopen()function,28,85,274,278foreach()loop,21forgedURIs,XSSwithactionURIs,49–50imagesourceURIs,50forkinginPHPDaemons,183formats,restrictingaccessto,107–108forwarding,98fsockopen()function,198–199,201,274FTPandFTPSwrappers,forPHP,279–281ftp_ssl_connect()function,279–280ftpsDemo.
phpfile,279ftpsWrapperDemo.
phpfile,280functionshashDSA,239MD5,238SHA-256,238–239OpenSSL,asymmetricencryptionin,249–259PHPmcrypt,symmetricencryptionin,248–249RSA,asymmetricencryptionin,249–259Ggarbagecollection,172–174gatewayservices,139gatewayservices,SMS,139get()method,286,289GETmethod,35,196GETrequest,51,105–106,202,204,275–276getCA()method,253getCACommonName()method,253getCommonName()method,253getDN()method,253getimagesize()function,61getRoles()method,152getStatusCodeMessages()method,112gettype()function,22,38Gimpycaptcha,119globaloptionfiles,securityof,223GlobalSystemforMobileCommunications(GSM)modem,13940globalvariables,turningoff,18–20GnuPG(GnuPrivacyGuard),237goldserver,usingtodistributeupdates,324–325Grnvall,Bjrn,284GRANTprivilege,37,227GRANTstatement,147,225–226granttables,controllingdatabaseaccesswith,226griefers,abusersofuserauthentication,135groups,assigningusersto,143GSM(GlobalSystemforMobileCommunications)modem,13940Hhabitsofsecurity-consciousdeveloper,9–12layereddefenses,11nevertrustuserinput,10nothingis100%secure,10peerreviewiscriticaltosecurity,12simpleriseasiertosecure,11–12hash()method,238hashfunctionsDSA,239MD5,238SHA-256,238–239hash_hmac()function,108hashingvs.
encryption,229–233algorithmstrength,232–233passwordstrength,233hashTest.
phpfile,90header()function,29,129Hellman,Martin,236hierarchicalnamespace,150highlight_file()function,28,66–67hijacking,83–84-SeealsosessionhijackingCAPTCHAs,130testingprotectionagainst,90–91INDEX334homedirectories,andpermissionsinUnix,214–215/home/csnyder/mydocrootdirectory,309/home/me/public_htmldirectory,309Hostwildcards,225hosting.
Seesharedhostingandsecuritytag,56hrefattribute,49.
htaccessfiles,20,67,296.
htaccesssettings,147HTMLboilerplate,193HTMLentities,encoding,52HTMLinput,filteringof,54–55HTMLmarkupattacks,XSS,48–49HTMLoutput,anduserinput,30htmlentities()function,30,52htmlspecialchars()function,52HTTPheadersandRPCsHTTPRequestSmuggling,204–205HTTPResponseSplitting,202–203overview,201–202values,anduserinput,29HTTPprotocol,177HTTPrequests,157HTTPwebservices,196HTTP_Response.
pdf,202HTTPDserverlog,155httpd.
conffile,219–220,302,321–323HTTPS(HyperTextTransportProtocolSecure),267HTTPSwrapper,forPHP,277–279httpsDemo.
phpfile,277Hudson,Tim,268humanattacks,5–6HUPsignal,183HypertextPreprocessor.
SeePHPHyperTextTransportProtocolSecure(HTTPS),267IICMPechopackets,179idfieldmoviestable,168moviesVersionstable,168–169identityverification,133–134ids,regeneratingforuserswithchangedstatus,101–102script,46IGNOREdirective,167imageftbbox()function,126imagefttext()function,127imagesgenerating,125–127placinginform,128/imapoption,282IMAPserver,185IMAPsupport,withPHP,282imap_8bit()function,29imap_open()function,282imapDemo.
phpfile,282tag,46,50,56importingcode,allowingonlytrustedusersto,66include()function,60,66ini_set()function,67,100ini_set('session.
cookie_lifetime'),101InitializationVector(IV),243innocuous.
html,204inputValidationDemo.
phpfile,24insert()method,186INSERTINTO.
SELECTquery,167INSERTprivilege,227INSERTquery,167INSERTstatements,37installingMySQL,226–227software,314–319compilingbyhand,317–319packages,314–316ports,317int(1)type,168int(10)unsignedtype,168–169int(11)type,168–169integrity.
phpscript,260,264–265interactions,system-level,155interfacessegregationof,142INDEX335undelete,167InternetServiceProvider(ISP),13536intval()function,22,38is_bool()function,23is_int()function,22,38is_integer()function,22,38is_long()function,22,38is_numeric()function,23is_uploaded_file()function,89ISP(InternetServiceProvider),13536IV(InitializationVector),243JJavaScriptattacks,XSS,49JavascriptObjectNotation(JSON),106.
jobfile,190–191jobManagerClass.
phpfile,185JSON(JavascriptObjectNotation),106json_decode()function,106json_encodefunction,106Kkillcommand,Unix,182Koops,Bert-Jaap,243LLAMEMP3encoder,191LanguageOptionsarea,php.
inifile,218layereddefenses,11LDAPserver,147Lewis,Morris,221libmcryptlibrary,248libssh2library,284limitRequestsDemo.
phpfile,200load()method,261,263localcopies,300Location,redirect,29locationsaccessing,143makingdifficult,84–87overview,82LOCKTABLESprivilege,227lockedflags,addingtotables,161locked.
giffile,62locked.
gificon,61loggingdata,154–157contenttolog,156–157ensuringthatloggingsucceeds,157systemlogsfor,155–156loweringpriority,inPHPDaemons,183Mmagic_quotes_gpcdirective,26,39mailserverlog,155mailboxverificationscheme,136mailboxes,semi-anonymous,136mailboxVerification.
phpfile,136makecommand,319,321makeinstallcommand,319,321maketestcommand,319,321makeKeys()method,251–252,254,259makeRGBColor()function,127mancommand,216max_execution_timedirective,217max_input_timesetting,217mcrypt()class,198,249mcryptlibrary,233–234mcryptmodule,248,259mcrypt_generic()function,248mcrypt_generic_init()function,248mcrypt_module_open()function,248MD(MessageDigest),238MD5,238md5()function,238,244,260md5_file()function,261md5sumcommand,318mdecrypt_generic()function,248memberrole,RBAC,148memory_get_usage()function,217memory_limitdirective,217Merkle,Ralph,236MessageDigest(MD),238metacharacters,userinputcontaininghandling,26–27overview,16metapackages,324–325metaports,324mkdir()method,286,289INDEX336mkfscommand,179mod_php,Apache,182modes,241–243CBC,243CFB,242ECB,241–242OFB,242mountcommand,179moviestable,168moviesview,166moviesVersionstable,168–169MP3encoder,192mp3Interface.
phpfile,192mp3Processor.
phpfile,189,191multiple-queryinjection,36–37multiuserhosts,protectionfor,298–300allowingnoshells,299backingupdatabases,300compilingconfigurationscripts,299–300keepinglocalcopies,300practicingtranslucency,299settingaggressivedatabasepermissions,299.
my.
cnffile,223–224MySQLaccounts,224–228backups,228controllingdatabaseaccesswithgranttables,226deleting,224–225hardeningdefaultMySQLinstallation,226–227Hostwildcards,225networking,228passwords,225privileges,227–228MySQLcode,185mysqldatabase,224–227mysqlextension,PHP,37MySQLserverlog,155mysql_escape_string()method,11mysql_install_dbutility,226mysql_max_linksdirective,217mysql_real_escape_string()function,26,39,107mysqladminutility,227mysqld_safeutility,228mysqldumputility,228mysqliextension,PHP,37,40–41mysqli_multi_query()function,37mysqli_prepare()function,41mysqli_stmt_bind_param()function,41mysqli_stmt_bind_result()function,41mysqli_stmt_execute()function,41mysqli_stmt_fetch()function,41mysqlInstallationHarden.
sqlfile,226mysqliPrepareOO.
phpfile,41mysqliPrepare.
phpfile,40NNationalInstituteofStandardsandTechnology(NIST),235networkeavesdropping,97NetworkFileSystem(NFS),306networktimeouts,andRPCs,199–200networking,securityof,228NFS(NetworkFileSystem),306nicevalue,183NIST(NationalInstituteofStandardsandTechnology),235nobodyuser,141,177,227now()function,169numberscheckingforuserinput,22–23random,240–241Oscript,46OFB(OutputFeedbackmode),242onclickevent,49onclick.
phpfile,49one-timeURI,136,138–139onlinepayment,requiringforuserauthentication,139onloadattribute,52onmouseoverattribute,49open_basedirdirective,219–220open_csr_new()function,254OpenSSH,284OpenSSLfunctions,asymmetricencryptionin,249–259INDEX337OpenSSLlibrary,233–235,254OpenSSLmodule,238,249–250,254,259openssl_csr_sign()function,254openssl_get_publickey()function,257openssl_pkey_export()function,254openssl_pkey_new()function,254openssl_public_encrypt()function,250,256–257openssl_sign()function,258openssl_verify()function,258openssl_x509_export()function,254openssl_x509_parse()function,254openSSLDemo.
phpscript,250,252,254openSSL.
phpclass,250,252,255,258,265OpticalCharacterRecognition,119optionfiles,securityof,223OPTIONSmethod,196OutputFeedbackmode(OFB),242Ppackages,andsoftwareinstallation,314–316parallelization,andresource-intensivesystemoperations,182parse_str()function,113parse_url()function,52–54passthru()function,59passwordHashingDemo.
phpfile,245passwords,225protecting,244–247strengthof,233pcntl_fork()function,PHP,183pcntl_wait()function,PHP,183PECL(PHPExtensionCommunityLibrary),66peerreview,iscriticaltosecurity,12PEM(PrivacyEnhancedMail),269permanence,82permissionsassigningtoroles,usingcheckboxes,153blanket,146Filesystem-like,151makingrestrictive,87–88inUnix,209–215andhomedirectories,214–215manipulating,212–215PHPtoolsfor,214andsharedgroupdirectories,212–214persistentsessions,93–96Petro,Christopher,6PGP(PrettyGoodPrivacy),237–238phishing,98photographerrole,RBAC,149PHP(HypertextPreprocessor)basicRESTserversin,109creatingtestsusing,122–129checkinguserresponse,128–129externalwebservices,122–124generatingimages,125–127placingcaptchaimagesinform,128randomchallenge,124–125keepingeasilyupdatable,322–323mcryptfunctions,symmetricencryptionin,248–249RSAfunctions,asymmetricencryptionin,249–259PHPExtensionCommunityLibrary(PECL),66PHPSafeMode,217–220alternativesto,219–220featuresof,218–219overview,218PHPsessions,93–96script,46scriptnamevariable,28scripts,configuration,299–300secretvalue,sending,136SecureHashAlgorithm(SHA),238SecureShell.
SeeSSHSecureSocketsLayer.
SeeSSLsecuringREST.
SeeRESTsecurityofcomputersingeneral,3databases,221–228databasefilesystempermissions,222–223globaloptionfiles,223MySQLaccounts,224–228optionfiles,223server-specificoptionfiles,223user-specificoptionfiles,223–224peerreviewiscriticalto,12segregation,ofinterfaces,142SELECTinstruction,36SELECTprivilege,227SELECTqueries,enforcingdeletedfieldin,165–166SELECTstatement,37,41–42semi-anonymousmailboxes,136sendResponse()method,112–113separatetable,usingtohidedeletedrecords,166–167serverlogs,155serveroperation,attacksagainst,8–9server-specificoptionfiles,securityof,223sessionhijacking,93–104abuseofsessions,96–99fixation,99forwarding,proxies,andphishing,98networkeavesdropping,97reverseproxies,99persistentsessions,93–96preventingabuse,100–104codeabstraction,102ineffectivesolutions,102–104regeneratingidsforuserswithchangedstatus,101–102usingcookiesinsteadof$_GETvariables,100–101usingsecuresocketslayer,100usingsessiontimeouts,101testingforprotectionagainstsessionabuse,104sessionID,156,192session_id()function,94session_id($_GET['phpsessid'])function,99session_regenerate_id()function,101–102session_start()function,93–94,99session.
cookie_lifetimeparameter,94sessionDemo1.
phpfile,94–96sessionDemo2.
phpfile,96INDEX341session.
use_only_cookiesdirective,98SETclause,36SETPASSWORDstatement,225set-group-idflag,214settype()function,23,38sftpclass,286,290sftpinterface,285sftp_configclass,285sftpClasses.
phpscript,285,290sftpDemo.
phpfile,290sftp.
phpclient,292SHA(SecureHashAlgorithm),238sha1()function,239,244,246–247,258,260SHA-256,238–239Shamir,Adi,236sharedgroupdirectories,andpermissionsinUnix,212–214sharedhostingandsecurity,295–303inventoryofeffects,296–297minimizingsystem-levelproblems,297–298protectionformultiuserhosts,298–300allowingnoshells,299backingupdatabases,300compilingconfigurationscripts,299–300keepinglocalcopies,300practicingtranslucency,299settingaggressivedatabasepermissions,299fromsystemadministrator'spointofview,302–303addinguserforeachdomain,302creatingsecuredatabase,303fillingoutfilesystem,302restrictingaccesstoscponly,303sampleApachevirtualhostconfiguration,302–303virtualmachines,301–302shellarguments,anduserinput,30shellcommandsescaping,71–74injectionof,63–65shellmetacharacters,63shell_exec()function,59,71,78,174,217,219shells,allowingnone,299ShortMessageService(SMS),139–140shutdowncommand,179shutdownfunction,157sign()method,251,253,258,265signalhandling,inPHPDaemons,182–183signatures,265–266SimpleObjectAccessProtocol(SOAP),197–198skip-networkingoption,228S/MIME,237–238SMS(ShortMessageService),139–140SOAP(SimpleObjectAccessProtocol),197–198sockpuppets,5softwareinstalling,314–319compilingbyhand,317–319packages,314–316ports,317updating,319–325Apache,keepingeasilyupdatable,321–322monitoringversionrevisions,323PHP,keepingeasilyupdatable,322–323recompilingafterupdatinglibraries,323–324usinggoldservertodistributeupdates,324–325spammers,abusersofuserauthentication,134SQLDELETEcommand,164SQLinjection,33–43defined,33multiple-query,36–37overview,33–35preventing,37–42abstractionlayerfor,39abstractionwithexternallibraries,42checkingtypesofusersubmittedvalues,38demarcatingeveryvalueinqueries,37–38escapingeveryquestionablecharacterinqueries,39fornewapplications,40–42retrofittingexistingapplication,39–40testing,42typesofattacks,36andtypesofuserinput,35–36INDEX342sqlite_query()function,37SSH(SecureShell),282–293OpenSSHfor,284overview,283withPHPapplications,284automatingconnections,285executingcommands,292–293securelycopyingfiles,285–292vs.
SSL,294ssh2_auth_passwordfunction,288ssh2_connectfunction,288,293ssh2_execfunction,293ssh2_fingerprintfunction,288ssh2_sftpfunction,288ssh2_sftp_mkdirfunction,289ssh2_sftp_unlinkfunction,289ssh2ExecDemo.
phpfile,292ssh2.
sftpcommand,285ssh-agentutility,284ssh-keygenutility,284,293SSL(SecureSocketsLayer).
SeealsoSSHandcertificates,268–273CAsfor,270–271chainof,272revocationlistfor,272–273connectingtoserversusingPHP,273–282FTPandFTPSwrappers,279–281HTTPSwrapper,277–279secureIMAPandPOPsupport,282SSLandTLStransports,274–277streams,274transports,274wrappers,274defined,268doesnotpreventXSS,51protocolsfor,273vs.
SSH,294andTLS(transportlayersecurity),268usingtoencryptcommunications,109SSLtransport,forPHP,274,277starsfieldmoviestable,168moviesVersionstable,168–169stat()function,261str_replace()function,67,75,203stream_context_create()function,274,278stream_context_get_options()instruction,274stream_context_set_option()instruction,274stream_get_meta_data()function,277stream_set_blocking()function,200,277stream_set_timeout()function,199–200stream-of-activitydata,155streamsoverview,241forPHPandSSL,274streamsmodel,PHP,273strings,checkingforuserinput,22strip_tags()function,56stripslashes()function,26–27,39strlen()function,24,38strpos()function,38strtotime()function,38strtoupper()function,75subrequests,andRPCs,198–205caching,200–201handlingnetworktimeouts,199–200andHTTPheaders,201–202Subversionrepository,174sudocommand,androot-levelsystemoperations,178suexecfunction,249suidbinaries,180suidbit,androot-levelsystemoperations,178switch()function,108,112,151symmetricalgorithms,234–2363DES(orTriple-DES),234AES(AdvancedEncryptionStandard),235Blowfish,235RC4,235–236system()function,59–60,71systemadministrator,sharedhostingandsecurity,302–303addinguserforeachdomain,302creatingsecuredatabase,303fillingoutfilesystem,302restrictingaccesstoscponly,303sampleApachevirtualhostconfiguration,302–303systemlogs,155–156INDEX343systemoperations,177–179queuingresource-intensive,179implicationsof,181–182andparallelization,182trackingof,192–195triggeringbatchprocessing,188–192usingdatabase,185–188usingdropfolder,184–185usingprocesscontrolinPHPDaemons,182–183root-level/sbinbinaries,178–179createAPIfor,180usingsudocommand,178usingsuidbit,178system-levelinteractions,155Ttag,50tablesaddingdeletedflagsto,164–165addinglockedflagsto,161tempnam()function,84–85temporaryfilescharacteristicsoflocations,82overview,82permanence,82risks,82–84functionsof,81–82preventingabuseof,84–89checkinguploadedfiles,89makinglocationsdifficult,84–87makingpermissionsrestrictive,87–88readingfromknownfilesonly,89writingtoknownfilesonly,88–89testingprotectionagainsthijacking,90–91TERMsignal,182–183tests,creatingusingPHP,122–129checkinguserresponse,128–129externalwebservices,122–124generatingimages,125–127placingcaptchaimagesinform,128randomchallenge,124–125textimagecaptchas,118–120texttype,168–169Tidymodule,PHP,55time()function,108,254timed_outkey,199–200timed_outproperty,277timeoutDemo.
phpfile,199timeouts,session,101titlefieldmoviestable,168moviesVersionstable,168–169TLS(TransportLayerSecurity),267–268TLStransport,forPHP,274–277tlsGetDemo.
phpfile,275,277tokens,anduserauthentication,136–139touch()function,85trackinguser-to-groupassignments,144translucency,299TransportLayerSecurity(TLS),267–268transports,forPHPandSSL,274trashcanview,167Triple-DES,234trolls,abusersofuserauthentication,135trustedusers,importingcodeonlyby,66Tuchman,Walter,234Turing,Alan,117Uumask()function,214umask002command,213UML(User-modeLinux),301umountcommand,179undeleteinterfaces,167undocommand,160UniformResourceLocator.
SeeURLuniqid()function,85–86,138,192Unix,209–220diskquotas,216permissionsin,209–215andhomedirectories,214–215manipulating,212–215PHPtoolsfor,214andsharedgroupdirectories,212–214andPHPSafeMode,217–220INDEX344alternativesto,219–220featuresof,218–219overview,218resourcelimits,215–217unreadableCAPTCHAs,130–131UPDATEinstruction,36UPDATEprivilege,227UPDATEquery,161,166UPDATEstatement,225,227updatingsoftware,319–325Apache,keepingeasilyupdatable,321–322monitoringversionrevisions,323PHP,keepingeasilyupdatable,322–323recompilingafterupdatinglibraries,323–324usinggoldservertodistributeupdates,324–325upload_max_filesizedirective,217uploadedfileslimitingfiletypesfor,65remoteexecutionofembeddingPHPcodein,61–62storingoutsideofwebdocumentroot,66URL(UniformResourceLocator)sanitizinguser-submitted,52–54userinputcontaining,27–28XSSwithforgedactionURIs,49–50forgedimagesourceURIs,50urlencode()function,26,29,203userauthenticationabusersof,134–135griefersandtrolls,135scammers,134–135spammers,134identityverification,133–134requiringonlinepayment,139requiringverifieddigitalsignature,140usingSMS,139–140usingworkingemailaddressfor,135–139userID,156userinputabuseofhiddeninterfaceswith,17–18attackswith,4containingmetacharacters,16nevershouldbetrusted,10protectingagainstabuseofallowingonlyexpectedinput,21checkingexistenceofvariables,23–24checkingformat,24checkinglength,24checkingtype,22–24containingemailaddresses,28–29containingfilepathsandURIs,27–28anddatabasequeries,29declaringvariables,20escapingshellarguments,30handlingmetacharacters,26–27andHTMLoutput,30andHTTPheadervalues,29sanitizingvalues,25turningoffglobalvariables,18–20validatingformat,24–25testing,31toomuchof,17typesof,andSQLinjection,35–36withunexpectedcommands,18ofwrongtype,16userresponse,checking,128–129USER1signal,183User-levelactivity,155User-modeLinux(UML),301users,awardingbadgesto,146–147user-specificoptionfiles,securityof,223–224user-to-groupassignments,tracking,144/usr/libdirectory,319/usr/local/apache/directory,321/usr/local/bindirectory,308,312/usr/local/mysql/datadirectory,223Vvswitch,309Validateclass,Pear,55valuescheckingtypesof,38demarcatingofinqueries,37–38sanitizing,25varchartype,168varchar(255)type,169INDEX345/var/db/mysqldirectory,222–223variablescheckingexistenceof,23–24declaring,20/var/run/php-batchfile,182verify()method,251,253,258,265verifyingidentity,withfinancialtransactions,139versionofsoftware,monitoringrevisionsof,323versionswitch,320versiontimestampcolumn,168VersionControl_SVNclass,174versioneddatabasefilestore,170–175garbagecollection,172–174othermeansofversioningfiles,174realisticPHPversioningsystem,171–172VersionControlsystems,174WebDAVwithVersioning,174–175versioning,167–170view,usingtohidedeletedrecords,166vintagefield,38virtualhostconfiguration,Apache,302–303virtuallocation,150virtualmachines,301–302viruses,6visibility,83VRFYcommand,136vulnerable.
html,204W.
wavfile,190–191webservicesdefined,177HTTP,196XML-RPC,196WebDAV,withversioning,174–175WEP(WiredEquivalentPrivacy),97,235wgetprogram,318WHEREadminLock='0'clause,161WHEREclause,34,36,165Wi-FiProtectedAccess(WPA),237WiredEquivalentPrivacy(WEP),97,235with-mcryptswitch,248with-mysql=directive,26with-mysqli=path/to/mysql_configoption,40with-opensslswitch,273worms,6WPA(Wi-FiProtectedAccess),237wrapper_dataproperty,279wrappers,forPHPandSSL,274writepermission,209wwwtemplates,142XXML-RPCwebservices,196XORfunction,240XSS(cross-sitescripting),45–57howitworks,45–47applicationsitetoremotesite,47remotesitetoapplicationsite,47scriptingof,45–46preventing,51–57encodingHTMLentities,52filteringHTMLinput,54–55predictingexpectedactionsfromusers,56–57privateAPIforsensitivetransactions,55–56sanitizinguser-submittedURIs,52–54SSLdoesnot,51techniquesof,47–51forgedactionURIs,49–50forgedimagesourceURIs,50formsubmissions,50–51HTMLmarkupattacks,48–49JavaScriptattacks,49otherattacks,51testingagainst,57Yyearkey,21Ylnen,Tatu,283–284Young,EricA.
,268Zzswitch,309Zimmermann,Philip,238,243
phpfile,312backups,228badgesawardingtousers,146–147forRBAC,checking,154base64,239–240batchprocessing,triggering,188–192batchprocessor,181blanketpermissions,146blockingmode,277blocks,241Blowfish,235Booleanvalues,checkingforuserinput,23botnets,133tag,56CcachingandRPCs,200–201CAPTCHA(CompletelyAutomatedPublicTuringTesttotellComputersandHumansApart),117–131attacksonchallenges,129creatingtestsusingPHP,122–129checkinguserresponse,128–129externalwebservices,122–124generatingimages,125–127placingcaptchaimagesinform,128randomchallenge,124–125kindsofaudio,120cognitive,121textimage,118–120problemsinusing,130–131AIattackscripts,130hijacking,130timeandmemory,130unreadable,130–131userdifficulties,131captchaCheck.
phpfile,128captchaForm.
phpfile,128captchaGenerate.
phpfile,124CAs(CertificateAuthorities),140,270–271CBC(CipherBlockChainingmode),243certificate()method,252,255,259CertificateAuthorities(CAs),140,270–271CertificateRevocationList(CRL),272certificates,forSSL,268–273CAsfor,270–271chainof,272revocationlistfor,272–273CFB(CipherFeedbackmode),242changedfield,moviesVersionstable,169checkboxes,usingtoassignpermissionstoroles,153checkCaptchaInput.
phpfile,123checkingbadges,RBAC,154chgrp()function,214CHLDsignal,183chmod()function,214chmodcommand,66,210–212chmod/sbin700command,179chmod/usr/sbin700command,179chown()function,214chownoperation,180chrootcommand,214CipherBlockChainingmode(CBC),243CipherFeedbackmode(CFB),242Class1Certificates,140Class2Certificates,140INDEX330Class3Certificates,140close_notifyindicator,277codeabstraction,102cognitivecaptchas,121commands,userinputwithunexpected,18communications,usingSSLtoencrypt,109compilingconfigurationscripts,299–300CompletelyAutomatedPublicTuringTesttotellComputersandHumansApart.
SeeCAPTCHAConcurrentVersionsSystem(CVS),304configurationscripts,compiling,299–300confirmationdialogboxes,addingtoactions,161–164confirmDelete.
phpfile,163connect()method,286–288ConnectionLayer,283ConnectionLayer,SSH,283construct()method,252Content-Lengthspecification,204Content-Typeheader,65cookies,versus$_GETvariables,100–101cookies.
phpscript,48corruption,preventing,160–164addingconfirmationdialogboxestoactions,161–164addinglockedflagstotables,161create-retrieve-update-delete(CRUD),105createSHA1Tempfile.
phpfile,86createUniqidTempfile.
phpfile,86createVersionedBackup.
phpfile,171CRL(CertificateRevocationList),272cronutility,175crontab-ecommand,313crontabfile,191crontabs,defined,189cross-sitescripting.
SeeXSSCRUD(create-retrieve-update-delete),105cryptography,244–259asymmetricencryptioninPHP,249–259protectingpasswords,244–247protectingsensitivedata,248–249RSAandOpenSSLfunctions,249–259CVS(ConcurrentVersionsSystem),304CVSignoremode,309DDaemen,Joan,235daemondefined,181PHP,182dangerous.
html,204dataprotecting,248–249verifyingimportantorat-risk,260–266usingdigests,260–265usingsignatures,265–266dataformatcheckingforuserinput,24validating,24–25datalength,checkingforuserinput,24dataloss,159–175avoidingrecorddeletion,164–167addingdeletedflagstotables,164–165creatingless-privilegeddatabaseusers,165enforcingdeletedfieldinSELECTqueries,165–166providingundeleteinterfaces,167usingseparatetabletohidedeletedrecords,166–167usingviewtohidedeletedrecords,166creatingversioneddatabasefilestore,170–175garbagecollection,172–174othermeansofversioningfiles,174realisticPHPversioningsystem,171–172VersionControlsystems,174WebDAVwithVersioning,174–175preventingaccidentalcorruption,160–164addingconfirmationdialogboxestoactions,161–164addinglockedflagstotables,161versioning,167–170datatype,checkingforuserinput,22–24Booleanvalues,23numbers,22–23strings,22databasefilestore,versioned,170–175garbagecollection,172–174othermeansofversioningfiles,174INDEX331realisticPHPversioningsystem,171–172VersionControlsystems,174WebDAVwithVersioning,174–175databaseflag,182databasequeries,anduserinput,29databaseusers,creating,165databasesresource-intensivesystemoperationsusing,185–188securing,221–228databasefilesystempermissions,222–223globaloptionfiles,223MySQLaccounts,224–228optionfiles,223server-specificoptionfiles,223user-specificoptionfiles,223–224settingpermissionsfor,asaggressive,299date()syntax,PHP,156dateandtime,oflogrecord,156datecommand,313datetimetype,168DAV(DistributedAuthoringandVersioning),174Davis,Don,240decrypt()method,253,257defamation,5defenses,layered,11delete()method,289deletefield,18DELETEinstruction,36,167DELETEprivilege,165DELETEquery,161,164DELETErequest,105DELETEstatement,224,228deletevariable,18delete-afterswitch,309deletedfields,enforcinginSELECTqueries,165–166deletedflags,addingtotables,164–165deleteOldVersions.
phpfile,172demarcatingvaluesinqueries,37–38DenialofService(DoS),9,199detetimetype,169DevelopersProgram,eBay,198development,maintainingseparatefromproductionenvironment,303–314effectiveproductionserversecurity,306–314reasonsforseparation,305–306/dev/randomdevice,241,243/dev/urandomdevice,241DHCP(DynamicHostConfigurationProtocol),98Diffie,Whitfield,236Diffie-Hellman-MerkleKeyExchange,236digests,260–265digitalPersonalCertificate,140DigitalSignatureAlgorithm(DSA),239digitalsignature,usingforuserauthentication,140disable_classesdirective,220disable_functionsdirective,67,220diskquotas,inUnix,216display_errors(0)instruction,30display_errorsdirective,30DistributedAuthoringandVersioning(DAV),174distributingupdates,usinggoldserverfor,324–325DNS(DomainNameSystem),9DoS(DenialofService),9,199drag-and-dropinterfaces,153dropfolder,resource-intensivesystemoperationsusing,184–185DROPTABLESprivilege,227DSA(DigitalSignatureAlgorithm),239ducommand,216DynamicHostConfigurationProtocol(DHCP),98EECB(ElectronicCodebookmode),241–242echopackets,ICMP,179editinterface,144editorrole,RBAC,148ElectronicCodebookmode(ECB),241–242email,encryptionof,237–238PGPandGnuPG,237S/MIME,237–238INDEX332emailaddressesuserinputcontaining,28–29usingforuserauthentication,135–139script,46enable-memory-limitconfigurationswitch,217enable-pcntloption,182enable-sharedswitch,318enable-shmopdirective,182encodeDemo.
phpfile,52encodingHTMLentities,52encrypt()method,253,256–258encryption,229–266algorithms,233–240asymmetric,236base64,239–240emailencryption,237–238symmetric,234–236XOR,240appliedcryptography,244–259asymmetricencryptioninPHP,249–259protectingpasswords,244–247protectingsensitivedata,248–249hashfunctionsDSA,239MD5,238SHA-256,238–239vs.
hashing,229–233algorithmstrength,232–233passwordstrength,233IV,243modes,241–243CBC,243CFB,242ECB,241–242OFB,242randomnumbers,240–241streamsandblocks,241USgovernmentrestrictionsonexportingencryptionalgorithms,243verifyingimportantorat-riskdata,260–266usingdigests,260–265usingsignatures,265–266ENT_QUOTESparameter,52ENUMcolumn,164error_log()function,PHP,157error_reporting(0)instruction,30error_reportingdirective,30escapeDemo.
phpfile,56escapeshellarg()function,30,71,73,191escapeShellArgDemo.
phpscript,71,73–74escapeshellcmd()function,71,73–74escapeShellCmdDemo.
phpfile,73escapingquestionablecharactersinqueries,39/etcdirectory,264–265etc-indexfile,264/etc/my.
cnffile,223/etc/sudoersfile,178eval()function,sanitizinginputto,66–71exec()function,59,63executepermission,209–210execution,83exit()method,256exportingencryptionalgorithms,USgovernmentrestrictionson,243externalwebservices,122–124EZ-Gimpycaptcha,119Ffeatures,ofPHPSafeMode,218–219Ferguson,Niels,229fgets()function,125filepaths,userinputcontaining,27–28file_get_contents()function,28,78,113,198,289file_put_contents()function,60,289file_puts()function,PHP,157file_uploadsdirective,217fileDataclass,261–263filemtime()function,174filesreadingfromknownonly,89uploaded,checking,89versioning,174writingtoknownonly,88–89filesystem,fillingout,302filesystempermissions,222–223Filesystem-likepermissions,151filterURIDemo.
phpfile,53INDEX333financialtransactions,verifyingidentitywith,139FIRSTkeyword,168fixation,99flock()function,297FLUSHPRIVILEGESstatement,224–225tag,66fopen()function,28,85,274,278foreach()loop,21forgedURIs,XSSwithactionURIs,49–50imagesourceURIs,50forkinginPHPDaemons,183formats,restrictingaccessto,107–108forwarding,98fsockopen()function,198–199,201,274FTPandFTPSwrappers,forPHP,279–281ftp_ssl_connect()function,279–280ftpsDemo.
phpfile,279ftpsWrapperDemo.
phpfile,280functionshashDSA,239MD5,238SHA-256,238–239OpenSSL,asymmetricencryptionin,249–259PHPmcrypt,symmetricencryptionin,248–249RSA,asymmetricencryptionin,249–259Ggarbagecollection,172–174gatewayservices,139gatewayservices,SMS,139get()method,286,289GETmethod,35,196GETrequest,51,105–106,202,204,275–276getCA()method,253getCACommonName()method,253getCommonName()method,253getDN()method,253getimagesize()function,61getRoles()method,152getStatusCodeMessages()method,112gettype()function,22,38Gimpycaptcha,119globaloptionfiles,securityof,223GlobalSystemforMobileCommunications(GSM)modem,13940globalvariables,turningoff,18–20GnuPG(GnuPrivacyGuard),237goldserver,usingtodistributeupdates,324–325Grnvall,Bjrn,284GRANTprivilege,37,227GRANTstatement,147,225–226granttables,controllingdatabaseaccesswith,226griefers,abusersofuserauthentication,135groups,assigningusersto,143GSM(GlobalSystemforMobileCommunications)modem,13940Hhabitsofsecurity-consciousdeveloper,9–12layereddefenses,11nevertrustuserinput,10nothingis100%secure,10peerreviewiscriticaltosecurity,12simpleriseasiertosecure,11–12hash()method,238hashfunctionsDSA,239MD5,238SHA-256,238–239hash_hmac()function,108hashingvs.
encryption,229–233algorithmstrength,232–233passwordstrength,233hashTest.
phpfile,90header()function,29,129Hellman,Martin,236hierarchicalnamespace,150highlight_file()function,28,66–67hijacking,83–84-SeealsosessionhijackingCAPTCHAs,130testingprotectionagainst,90–91INDEX334homedirectories,andpermissionsinUnix,214–215/home/csnyder/mydocrootdirectory,309/home/me/public_htmldirectory,309Hostwildcards,225hosting.
Seesharedhostingandsecuritytag,56hrefattribute,49.
htaccessfiles,20,67,296.
htaccesssettings,147HTMLboilerplate,193HTMLentities,encoding,52HTMLinput,filteringof,54–55HTMLmarkupattacks,XSS,48–49HTMLoutput,anduserinput,30htmlentities()function,30,52htmlspecialchars()function,52HTTPheadersandRPCsHTTPRequestSmuggling,204–205HTTPResponseSplitting,202–203overview,201–202values,anduserinput,29HTTPprotocol,177HTTPrequests,157HTTPwebservices,196HTTP_Response.
pdf,202HTTPDserverlog,155httpd.
conffile,219–220,302,321–323HTTPS(HyperTextTransportProtocolSecure),267HTTPSwrapper,forPHP,277–279httpsDemo.
phpfile,277Hudson,Tim,268humanattacks,5–6HUPsignal,183HypertextPreprocessor.
SeePHPHyperTextTransportProtocolSecure(HTTPS),267IICMPechopackets,179idfieldmoviestable,168moviesVersionstable,168–169identityverification,133–134ids,regeneratingforuserswithchangedstatus,101–102script,46IGNOREdirective,167imageftbbox()function,126imagefttext()function,127imagesgenerating,125–127placinginform,128/imapoption,282IMAPserver,185IMAPsupport,withPHP,282imap_8bit()function,29imap_open()function,282imapDemo.
phpfile,282tag,46,50,56importingcode,allowingonlytrustedusersto,66include()function,60,66ini_set()function,67,100ini_set('session.
cookie_lifetime'),101InitializationVector(IV),243innocuous.
html,204inputValidationDemo.
phpfile,24insert()method,186INSERTINTO.
SELECTquery,167INSERTprivilege,227INSERTquery,167INSERTstatements,37installingMySQL,226–227software,314–319compilingbyhand,317–319packages,314–316ports,317int(1)type,168int(10)unsignedtype,168–169int(11)type,168–169integrity.
phpscript,260,264–265interactions,system-level,155interfacessegregationof,142INDEX335undelete,167InternetServiceProvider(ISP),13536intval()function,22,38is_bool()function,23is_int()function,22,38is_integer()function,22,38is_long()function,22,38is_numeric()function,23is_uploaded_file()function,89ISP(InternetServiceProvider),13536IV(InitializationVector),243JJavaScriptattacks,XSS,49JavascriptObjectNotation(JSON),106.
jobfile,190–191jobManagerClass.
phpfile,185JSON(JavascriptObjectNotation),106json_decode()function,106json_encodefunction,106Kkillcommand,Unix,182Koops,Bert-Jaap,243LLAMEMP3encoder,191LanguageOptionsarea,php.
inifile,218layereddefenses,11LDAPserver,147Lewis,Morris,221libmcryptlibrary,248libssh2library,284limitRequestsDemo.
phpfile,200load()method,261,263localcopies,300Location,redirect,29locationsaccessing,143makingdifficult,84–87overview,82LOCKTABLESprivilege,227lockedflags,addingtotables,161locked.
giffile,62locked.
gificon,61loggingdata,154–157contenttolog,156–157ensuringthatloggingsucceeds,157systemlogsfor,155–156loweringpriority,inPHPDaemons,183Mmagic_quotes_gpcdirective,26,39mailserverlog,155mailboxverificationscheme,136mailboxes,semi-anonymous,136mailboxVerification.
phpfile,136makecommand,319,321makeinstallcommand,319,321maketestcommand,319,321makeKeys()method,251–252,254,259makeRGBColor()function,127mancommand,216max_execution_timedirective,217max_input_timesetting,217mcrypt()class,198,249mcryptlibrary,233–234mcryptmodule,248,259mcrypt_generic()function,248mcrypt_generic_init()function,248mcrypt_module_open()function,248MD(MessageDigest),238MD5,238md5()function,238,244,260md5_file()function,261md5sumcommand,318mdecrypt_generic()function,248memberrole,RBAC,148memory_get_usage()function,217memory_limitdirective,217Merkle,Ralph,236MessageDigest(MD),238metacharacters,userinputcontaininghandling,26–27overview,16metapackages,324–325metaports,324mkdir()method,286,289INDEX336mkfscommand,179mod_php,Apache,182modes,241–243CBC,243CFB,242ECB,241–242OFB,242mountcommand,179moviestable,168moviesview,166moviesVersionstable,168–169MP3encoder,192mp3Interface.
phpfile,192mp3Processor.
phpfile,189,191multiple-queryinjection,36–37multiuserhosts,protectionfor,298–300allowingnoshells,299backingupdatabases,300compilingconfigurationscripts,299–300keepinglocalcopies,300practicingtranslucency,299settingaggressivedatabasepermissions,299.
my.
cnffile,223–224MySQLaccounts,224–228backups,228controllingdatabaseaccesswithgranttables,226deleting,224–225hardeningdefaultMySQLinstallation,226–227Hostwildcards,225networking,228passwords,225privileges,227–228MySQLcode,185mysqldatabase,224–227mysqlextension,PHP,37MySQLserverlog,155mysql_escape_string()method,11mysql_install_dbutility,226mysql_max_linksdirective,217mysql_real_escape_string()function,26,39,107mysqladminutility,227mysqld_safeutility,228mysqldumputility,228mysqliextension,PHP,37,40–41mysqli_multi_query()function,37mysqli_prepare()function,41mysqli_stmt_bind_param()function,41mysqli_stmt_bind_result()function,41mysqli_stmt_execute()function,41mysqli_stmt_fetch()function,41mysqlInstallationHarden.
sqlfile,226mysqliPrepareOO.
phpfile,41mysqliPrepare.
phpfile,40NNationalInstituteofStandardsandTechnology(NIST),235networkeavesdropping,97NetworkFileSystem(NFS),306networktimeouts,andRPCs,199–200networking,securityof,228NFS(NetworkFileSystem),306nicevalue,183NIST(NationalInstituteofStandardsandTechnology),235nobodyuser,141,177,227now()function,169numberscheckingforuserinput,22–23random,240–241Oscript,46OFB(OutputFeedbackmode),242onclickevent,49onclick.
phpfile,49one-timeURI,136,138–139onlinepayment,requiringforuserauthentication,139onloadattribute,52onmouseoverattribute,49open_basedirdirective,219–220open_csr_new()function,254OpenSSH,284OpenSSLfunctions,asymmetricencryptionin,249–259INDEX337OpenSSLlibrary,233–235,254OpenSSLmodule,238,249–250,254,259openssl_csr_sign()function,254openssl_get_publickey()function,257openssl_pkey_export()function,254openssl_pkey_new()function,254openssl_public_encrypt()function,250,256–257openssl_sign()function,258openssl_verify()function,258openssl_x509_export()function,254openssl_x509_parse()function,254openSSLDemo.
phpscript,250,252,254openSSL.
phpclass,250,252,255,258,265OpticalCharacterRecognition,119optionfiles,securityof,223OPTIONSmethod,196OutputFeedbackmode(OFB),242Ppackages,andsoftwareinstallation,314–316parallelization,andresource-intensivesystemoperations,182parse_str()function,113parse_url()function,52–54passthru()function,59passwordHashingDemo.
phpfile,245passwords,225protecting,244–247strengthof,233pcntl_fork()function,PHP,183pcntl_wait()function,PHP,183PECL(PHPExtensionCommunityLibrary),66peerreview,iscriticaltosecurity,12PEM(PrivacyEnhancedMail),269permanence,82permissionsassigningtoroles,usingcheckboxes,153blanket,146Filesystem-like,151makingrestrictive,87–88inUnix,209–215andhomedirectories,214–215manipulating,212–215PHPtoolsfor,214andsharedgroupdirectories,212–214persistentsessions,93–96Petro,Christopher,6PGP(PrettyGoodPrivacy),237–238phishing,98photographerrole,RBAC,149PHP(HypertextPreprocessor)basicRESTserversin,109creatingtestsusing,122–129checkinguserresponse,128–129externalwebservices,122–124generatingimages,125–127placingcaptchaimagesinform,128randomchallenge,124–125keepingeasilyupdatable,322–323mcryptfunctions,symmetricencryptionin,248–249RSAfunctions,asymmetricencryptionin,249–259PHPExtensionCommunityLibrary(PECL),66PHPSafeMode,217–220alternativesto,219–220featuresof,218–219overview,218PHPsessions,93–96script,46scriptnamevariable,28scripts,configuration,299–300secretvalue,sending,136SecureHashAlgorithm(SHA),238SecureShell.
SeeSSHSecureSocketsLayer.
SeeSSLsecuringREST.
SeeRESTsecurityofcomputersingeneral,3databases,221–228databasefilesystempermissions,222–223globaloptionfiles,223MySQLaccounts,224–228optionfiles,223server-specificoptionfiles,223user-specificoptionfiles,223–224peerreviewiscriticalto,12segregation,ofinterfaces,142SELECTinstruction,36SELECTprivilege,227SELECTqueries,enforcingdeletedfieldin,165–166SELECTstatement,37,41–42semi-anonymousmailboxes,136sendResponse()method,112–113separatetable,usingtohidedeletedrecords,166–167serverlogs,155serveroperation,attacksagainst,8–9server-specificoptionfiles,securityof,223sessionhijacking,93–104abuseofsessions,96–99fixation,99forwarding,proxies,andphishing,98networkeavesdropping,97reverseproxies,99persistentsessions,93–96preventingabuse,100–104codeabstraction,102ineffectivesolutions,102–104regeneratingidsforuserswithchangedstatus,101–102usingcookiesinsteadof$_GETvariables,100–101usingsecuresocketslayer,100usingsessiontimeouts,101testingforprotectionagainstsessionabuse,104sessionID,156,192session_id()function,94session_id($_GET['phpsessid'])function,99session_regenerate_id()function,101–102session_start()function,93–94,99session.
cookie_lifetimeparameter,94sessionDemo1.
phpfile,94–96sessionDemo2.
phpfile,96INDEX341session.
use_only_cookiesdirective,98SETclause,36SETPASSWORDstatement,225set-group-idflag,214settype()function,23,38sftpclass,286,290sftpinterface,285sftp_configclass,285sftpClasses.
phpscript,285,290sftpDemo.
phpfile,290sftp.
phpclient,292SHA(SecureHashAlgorithm),238sha1()function,239,244,246–247,258,260SHA-256,238–239Shamir,Adi,236sharedgroupdirectories,andpermissionsinUnix,212–214sharedhostingandsecurity,295–303inventoryofeffects,296–297minimizingsystem-levelproblems,297–298protectionformultiuserhosts,298–300allowingnoshells,299backingupdatabases,300compilingconfigurationscripts,299–300keepinglocalcopies,300practicingtranslucency,299settingaggressivedatabasepermissions,299fromsystemadministrator'spointofview,302–303addinguserforeachdomain,302creatingsecuredatabase,303fillingoutfilesystem,302restrictingaccesstoscponly,303sampleApachevirtualhostconfiguration,302–303virtualmachines,301–302shellarguments,anduserinput,30shellcommandsescaping,71–74injectionof,63–65shellmetacharacters,63shell_exec()function,59,71,78,174,217,219shells,allowingnone,299ShortMessageService(SMS),139–140shutdowncommand,179shutdownfunction,157sign()method,251,253,258,265signalhandling,inPHPDaemons,182–183signatures,265–266SimpleObjectAccessProtocol(SOAP),197–198skip-networkingoption,228S/MIME,237–238SMS(ShortMessageService),139–140SOAP(SimpleObjectAccessProtocol),197–198sockpuppets,5softwareinstalling,314–319compilingbyhand,317–319packages,314–316ports,317updating,319–325Apache,keepingeasilyupdatable,321–322monitoringversionrevisions,323PHP,keepingeasilyupdatable,322–323recompilingafterupdatinglibraries,323–324usinggoldservertodistributeupdates,324–325spammers,abusersofuserauthentication,134SQLDELETEcommand,164SQLinjection,33–43defined,33multiple-query,36–37overview,33–35preventing,37–42abstractionlayerfor,39abstractionwithexternallibraries,42checkingtypesofusersubmittedvalues,38demarcatingeveryvalueinqueries,37–38escapingeveryquestionablecharacterinqueries,39fornewapplications,40–42retrofittingexistingapplication,39–40testing,42typesofattacks,36andtypesofuserinput,35–36INDEX342sqlite_query()function,37SSH(SecureShell),282–293OpenSSHfor,284overview,283withPHPapplications,284automatingconnections,285executingcommands,292–293securelycopyingfiles,285–292vs.
SSL,294ssh2_auth_passwordfunction,288ssh2_connectfunction,288,293ssh2_execfunction,293ssh2_fingerprintfunction,288ssh2_sftpfunction,288ssh2_sftp_mkdirfunction,289ssh2_sftp_unlinkfunction,289ssh2ExecDemo.
phpfile,292ssh2.
sftpcommand,285ssh-agentutility,284ssh-keygenutility,284,293SSL(SecureSocketsLayer).
SeealsoSSHandcertificates,268–273CAsfor,270–271chainof,272revocationlistfor,272–273connectingtoserversusingPHP,273–282FTPandFTPSwrappers,279–281HTTPSwrapper,277–279secureIMAPandPOPsupport,282SSLandTLStransports,274–277streams,274transports,274wrappers,274defined,268doesnotpreventXSS,51protocolsfor,273vs.
SSH,294andTLS(transportlayersecurity),268usingtoencryptcommunications,109SSLtransport,forPHP,274,277starsfieldmoviestable,168moviesVersionstable,168–169stat()function,261str_replace()function,67,75,203stream_context_create()function,274,278stream_context_get_options()instruction,274stream_context_set_option()instruction,274stream_get_meta_data()function,277stream_set_blocking()function,200,277stream_set_timeout()function,199–200stream-of-activitydata,155streamsoverview,241forPHPandSSL,274streamsmodel,PHP,273strings,checkingforuserinput,22strip_tags()function,56stripslashes()function,26–27,39strlen()function,24,38strpos()function,38strtotime()function,38strtoupper()function,75subrequests,andRPCs,198–205caching,200–201handlingnetworktimeouts,199–200andHTTPheaders,201–202Subversionrepository,174sudocommand,androot-levelsystemoperations,178suexecfunction,249suidbinaries,180suidbit,androot-levelsystemoperations,178switch()function,108,112,151symmetricalgorithms,234–2363DES(orTriple-DES),234AES(AdvancedEncryptionStandard),235Blowfish,235RC4,235–236system()function,59–60,71systemadministrator,sharedhostingandsecurity,302–303addinguserforeachdomain,302creatingsecuredatabase,303fillingoutfilesystem,302restrictingaccesstoscponly,303sampleApachevirtualhostconfiguration,302–303systemlogs,155–156INDEX343systemoperations,177–179queuingresource-intensive,179implicationsof,181–182andparallelization,182trackingof,192–195triggeringbatchprocessing,188–192usingdatabase,185–188usingdropfolder,184–185usingprocesscontrolinPHPDaemons,182–183root-level/sbinbinaries,178–179createAPIfor,180usingsudocommand,178usingsuidbit,178system-levelinteractions,155Ttag,50tablesaddingdeletedflagsto,164–165addinglockedflagsto,161tempnam()function,84–85temporaryfilescharacteristicsoflocations,82overview,82permanence,82risks,82–84functionsof,81–82preventingabuseof,84–89checkinguploadedfiles,89makinglocationsdifficult,84–87makingpermissionsrestrictive,87–88readingfromknownfilesonly,89writingtoknownfilesonly,88–89testingprotectionagainsthijacking,90–91TERMsignal,182–183tests,creatingusingPHP,122–129checkinguserresponse,128–129externalwebservices,122–124generatingimages,125–127placingcaptchaimagesinform,128randomchallenge,124–125textimagecaptchas,118–120texttype,168–169Tidymodule,PHP,55time()function,108,254timed_outkey,199–200timed_outproperty,277timeoutDemo.
phpfile,199timeouts,session,101titlefieldmoviestable,168moviesVersionstable,168–169TLS(TransportLayerSecurity),267–268TLStransport,forPHP,274–277tlsGetDemo.
phpfile,275,277tokens,anduserauthentication,136–139touch()function,85trackinguser-to-groupassignments,144translucency,299TransportLayerSecurity(TLS),267–268transports,forPHPandSSL,274trashcanview,167Triple-DES,234trolls,abusersofuserauthentication,135trustedusers,importingcodeonlyby,66Tuchman,Walter,234Turing,Alan,117Uumask()function,214umask002command,213UML(User-modeLinux),301umountcommand,179undeleteinterfaces,167undocommand,160UniformResourceLocator.
SeeURLuniqid()function,85–86,138,192Unix,209–220diskquotas,216permissionsin,209–215andhomedirectories,214–215manipulating,212–215PHPtoolsfor,214andsharedgroupdirectories,212–214andPHPSafeMode,217–220INDEX344alternativesto,219–220featuresof,218–219overview,218resourcelimits,215–217unreadableCAPTCHAs,130–131UPDATEinstruction,36UPDATEprivilege,227UPDATEquery,161,166UPDATEstatement,225,227updatingsoftware,319–325Apache,keepingeasilyupdatable,321–322monitoringversionrevisions,323PHP,keepingeasilyupdatable,322–323recompilingafterupdatinglibraries,323–324usinggoldservertodistributeupdates,324–325upload_max_filesizedirective,217uploadedfileslimitingfiletypesfor,65remoteexecutionofembeddingPHPcodein,61–62storingoutsideofwebdocumentroot,66URL(UniformResourceLocator)sanitizinguser-submitted,52–54userinputcontaining,27–28XSSwithforgedactionURIs,49–50forgedimagesourceURIs,50urlencode()function,26,29,203userauthenticationabusersof,134–135griefersandtrolls,135scammers,134–135spammers,134identityverification,133–134requiringonlinepayment,139requiringverifieddigitalsignature,140usingSMS,139–140usingworkingemailaddressfor,135–139userID,156userinputabuseofhiddeninterfaceswith,17–18attackswith,4containingmetacharacters,16nevershouldbetrusted,10protectingagainstabuseofallowingonlyexpectedinput,21checkingexistenceofvariables,23–24checkingformat,24checkinglength,24checkingtype,22–24containingemailaddresses,28–29containingfilepathsandURIs,27–28anddatabasequeries,29declaringvariables,20escapingshellarguments,30handlingmetacharacters,26–27andHTMLoutput,30andHTTPheadervalues,29sanitizingvalues,25turningoffglobalvariables,18–20validatingformat,24–25testing,31toomuchof,17typesof,andSQLinjection,35–36withunexpectedcommands,18ofwrongtype,16userresponse,checking,128–129USER1signal,183User-levelactivity,155User-modeLinux(UML),301users,awardingbadgesto,146–147user-specificoptionfiles,securityof,223–224user-to-groupassignments,tracking,144/usr/libdirectory,319/usr/local/apache/directory,321/usr/local/bindirectory,308,312/usr/local/mysql/datadirectory,223Vvswitch,309Validateclass,Pear,55valuescheckingtypesof,38demarcatingofinqueries,37–38sanitizing,25varchartype,168varchar(255)type,169INDEX345/var/db/mysqldirectory,222–223variablescheckingexistenceof,23–24declaring,20/var/run/php-batchfile,182verify()method,251,253,258,265verifyingidentity,withfinancialtransactions,139versionofsoftware,monitoringrevisionsof,323versionswitch,320versiontimestampcolumn,168VersionControl_SVNclass,174versioneddatabasefilestore,170–175garbagecollection,172–174othermeansofversioningfiles,174realisticPHPversioningsystem,171–172VersionControlsystems,174WebDAVwithVersioning,174–175versioning,167–170view,usingtohidedeletedrecords,166vintagefield,38virtualhostconfiguration,Apache,302–303virtuallocation,150virtualmachines,301–302viruses,6visibility,83VRFYcommand,136vulnerable.
html,204W.
wavfile,190–191webservicesdefined,177HTTP,196XML-RPC,196WebDAV,withversioning,174–175WEP(WiredEquivalentPrivacy),97,235wgetprogram,318WHEREadminLock='0'clause,161WHEREclause,34,36,165Wi-FiProtectedAccess(WPA),237WiredEquivalentPrivacy(WEP),97,235with-mcryptswitch,248with-mysql=directive,26with-mysqli=path/to/mysql_configoption,40with-opensslswitch,273worms,6WPA(Wi-FiProtectedAccess),237wrapper_dataproperty,279wrappers,forPHPandSSL,274writepermission,209wwwtemplates,142XXML-RPCwebservices,196XORfunction,240XSS(cross-sitescripting),45–57howitworks,45–47applicationsitetoremotesite,47remotesitetoapplicationsite,47scriptingof,45–46preventing,51–57encodingHTMLentities,52filteringHTMLinput,54–55predictingexpectedactionsfromusers,56–57privateAPIforsensitivetransactions,55–56sanitizinguser-submittedURIs,52–54SSLdoesnot,51techniquesof,47–51forgedactionURIs,49–50forgedimagesourceURIs,50formsubmissions,50–51HTMLmarkupattacks,48–49JavaScriptattacks,49otherattacks,51testingagainst,57Yyearkey,21Ylnen,Tatu,283–284Young,EricA.
,268Zzswitch,309Zimmermann,Philip,238,243
- dangerousphpinfo相关文档
- extensionphpinfo
- distributionphpinfo
- DFILE_OFFSET_BITSphpinfo
- functionsphpinfo
- Controlphpinfo
- log_errorsphpinfo
NameCheap优惠活动 新注册域名38元
今天上午有网友在群里聊到是不是有新注册域名的海外域名商家的优惠活动。如果我们并非一定要在国外注册域名的话,最近年中促销期间,国内的服务商优惠力度还是比较大的,以前我们可能较多选择海外域名商家注册域名在于海外商家便宜,如今这几年国内的商家价格也不贵的。比如在前一段时间有分享到几个商家的年中活动:1、DNSPOD域名欢购活动 - 提供域名抢购活动、DNS解析折扣、SSL证书活动2、难得再次关注新网商家...
提速啦(69元起)香港大带宽CN2+BGP独享云服务器
香港大带宽服务器香港大带宽云服务器目前市场上可以选择的商家十分少,这次给大家推荐的是我们的老便宜提速啦的香港大带宽云服务器,默认通用BGP线路(即CN2+BGP)是由三网直连线路 中国电信骨干网以及HGC、NTT、PCCW等国际线路混合而成的高品质带宽(精品带宽)线路,可有效覆盖全球200多个国家和地区。(适用于绝大部分应用场景,适合国内外访客访问,域名无需备案)提速啦官网链接:点击进入香港Cer...
云基Yunbase无视CC攻击(最高500G DDoS防御),美国洛杉矶CN2-GIA高防独立服务器,
云基yunbase怎么样?云基成立于2020年,目前主要提供高防海内外独立服务器,欢迎各类追求稳定和高防优质线路的用户。业务可选:洛杉矶CN2-GIA+高防(默认500G高防)、洛杉矶CN2-GIA(默认带50Gbps防御)、香港CN2-GIA高防(双向CN2GIA专线,突发带宽支持,15G-20G DDoS防御,无视CC)。目前,美国洛杉矶CN2-GIA高防独立服务器,8核16G,最高500G ...
phpinfo为你推荐
-
国外空间租用好用的国外空间网站空间域名网站、域名空间三者的关系什么是虚拟主机虚拟主机是什么?jsp虚拟主机java虚拟主机空间怎么选择,国内jsp虚拟主机比较稳定,现在java项目做好后需要推荐一下吧河南虚拟主机新乡在哪个网站买虚拟主机好?广西虚拟主机虚拟主机哪里的好?备案域名哪些域名可以在国内备案?备案域名网站备案是什么意思?备案域名还是备案空间?还是都需要备案?买域名在那里买域名 多少钱一年? 在线等 。。。!!!!!!!新网域名新网域名怎么样