fny5jt9 发表于 2024-7-11 13:46:26

平常的安全性攻击有哪些?


    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.sql注入</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">运用</span>mysqli_real_escape_string函数对数据进行转义</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">$db</span> <span style="color: black;">=</span> <span style="color: black;">new</span> <span style="color: black;">mysqli</span><span style="color: black;">(</span><span style="color: black;">localhost</span><span style="color: black;">,</span> <span style="color: black;">root</span><span style="color: black;">,</span> <span style="color: black;">root</span><span style="color: black;">,</span> <span style="color: black;">test</span><span style="color: black;">);</span>
      <span style="color: black;">$_POST</span><span style="color: black;">[</span><span style="color: black;">username</span><span style="color: black;">]</span> <span style="color: black;">=</span> <span style="color: black;">"Shershon or 1=1"</span><span style="color: black;">;</span>
      <span style="color: black;">$username</span> <span style="color: black;">=</span> <span style="color: black;">mysqli_real_escape_string</span><span style="color: black;">(</span><span style="color: black;">$db</span><span style="color: black;">,</span> <span style="color: black;">$_POST</span><span style="color: black;">[</span><span style="color: black;">username</span><span style="color: black;">]);</span>
      <span style="color: black;">$query</span> <span style="color: black;">=</span> <span style="color: black;">"select * from test where username="</span> <span style="color: black;">.</span> <span style="color: black;">$username</span> <span style="color: black;">.</span> <span style="color: black;">""</span><span style="color: black;">;</span>
      <span style="color: black;">echo</span> <span style="color: black;">$query</span> <span style="color: black;">.</span> <span style="color: black;">&lt;br /&gt;</span><span style="color: black;">;</span>
      <span style="color: black;">$res</span> <span style="color: black;">=</span> <span style="color: black;">$db</span><span style="color: black;">-&gt;</span><span style="color: black;">query</span><span style="color: black;">(</span><span style="color: black;">$query</span><span style="color: black;">);</span>
      <span style="color: black;">echo</span> <span style="color: black;">$res</span><span style="color: black;">-&gt;</span><span style="color: black;">num_rows</span> <span style="color: black;">.</span> <span style="color: black;">&lt;br /&gt;</span><span style="color: black;">;</span>
      <span style="color: black;">if</span> <span style="color: black;">(</span><span style="color: black;">$res</span> <span style="color: black;">&amp;&amp;</span> <span style="color: black;">$res</span><span style="color: black;">-&gt;</span><span style="color: black;">num_rows</span><span style="color: black;">)</span> <span style="color: black;">{</span>
      <span style="color: black;">echo</span> <span style="color: black;">"&lt;br /&gt;Logged in successfully"</span><span style="color: black;">;</span>
      <span style="color: black;">}</span> <span style="color: black;">else</span> <span style="color: black;">{</span>
      <span style="color: black;">echo</span> <span style="color: black;">"&lt;br /&gt;Login failed"</span><span style="color: black;">;</span>
      <span style="color: black;">}</span>
    </div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">运用</span>mysqli<span style="color: black;">或</span>pdo的预处理语句</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">$db</span> <span style="color: black;">=</span> <span style="color: black;">new</span> <span style="color: black;">mysqli</span><span style="color: black;">(</span><span style="color: black;">localhost</span><span style="color: black;">,</span> <span style="color: black;">root</span><span style="color: black;">,</span> <span style="color: black;">root</span><span style="color: black;">,</span> <span style="color: black;">test</span><span style="color: black;">);</span>
      <span style="color: black;">$_POST</span><span style="color: black;">[</span><span style="color: black;">username</span><span style="color: black;">]</span> <span style="color: black;">=</span> <span style="color: black;">"Shershon"</span><span style="color: black;">;</span>
      <span style="color: black;">$query</span> <span style="color: black;">=</span> <span style="color: black;">"select * from test where username=?"</span><span style="color: black;">;</span>
      <span style="color: black;">if</span> <span style="color: black;">(</span><span style="color: black;">$stmt</span> <span style="color: black;">=</span> <span style="color: black;">$db</span><span style="color: black;">-&gt;</span><span style="color: black;">prepare</span><span style="color: black;">(</span><span style="color: black;">$query</span><span style="color: black;">))</span> <span style="color: black;">{</span>
      <span style="color: black;">$stmt</span><span style="color: black;">-&gt;</span><span style="color: black;">bind_param</span><span style="color: black;">(</span><span style="color: black;">"s"</span><span style="color: black;">,</span> <span style="color: black;">$_POST</span><span style="color: black;">[</span><span style="color: black;">username</span><span style="color: black;">]);</span>
      <span style="color: black;">$stmt</span><span style="color: black;">-&gt;</span><span style="color: black;">execute</span><span style="color: black;">();</span>
      <span style="color: black;">$stmt</span><span style="color: black;">-&gt;</span><span style="color: black;">bind_result</span><span style="color: black;">(</span><span style="color: black;">$id</span><span style="color: black;">,</span> <span style="color: black;">$username</span><span style="color: black;">);</span>
      <span style="color: black;">while</span> <span style="color: black;">(</span><span style="color: black;">$stmt</span><span style="color: black;">-&gt;</span><span style="color: black;">fetch</span><span style="color: black;">()){</span>
      <span style="color: black;">echo</span> <span style="color: black;">$id</span> <span style="color: black;">.</span> <span style="color: black;">, </span> <span style="color: black;">.</span> <span style="color: black;">$username</span><span style="color: black;">;</span>
      <span style="color: black;">echo</span> <span style="color: black;">&lt;br /&gt;</span><span style="color: black;">;</span>
      <span style="color: black;">}</span>
      <span style="color: black;">$stmt</span><span style="color: black;">-&gt;</span><span style="color: black;">close</span><span style="color: black;">();</span>
      <span style="color: black;">}</span>
    </div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.xss攻击</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">运用</span>htmlentities这个函数转换所有含有对应“html实体”的特殊字符,<span style="color: black;">例如</span>货币<span style="color: black;">暗示</span>符号欧元英镑等、版权符号等,htmlspecialchars 只是把某些特殊的字符转义了 &amp; " &lt; &gt;</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">&lt;?</span><span style="color: black;">php</span>
      <span style="color: black;">if</span> <span style="color: black;">(</span><span style="color: black;">file_exists</span><span style="color: black;">(</span><span style="color: black;">comments.txt</span><span style="color: black;">))</span> <span style="color: black;">{</span>
      <span style="color: black;">$comments</span> <span style="color: black;">=</span> <span style="color: black;">file_get_contents</span><span style="color: black;">(</span><span style="color: black;">comments.txt</span><span style="color: black;">);</span>
      <span style="color: black;">}</span> <span style="color: black;">else</span> <span style="color: black;">{</span>
      <span style="color: black;">$comments</span> <span style="color: black;">=</span> <span style="color: black;">;</span>
      <span style="color: black;">}</span>

      <span style="color: black;">if</span> <span style="color: black;">(</span><span style="color: black;">isset</span><span style="color: black;">(</span><span style="color: black;">$_POST</span><span style="color: black;">[</span><span style="color: black;">comment</span><span style="color: black;">]))</span> <span style="color: black;">{</span>
      <span style="color: black;">$comments</span> <span style="color: black;">.=</span> <span style="color: black;">"</span><span style="color: black;">\r\n</span><span style="color: black;">"</span> <span style="color: black;">.</span> <span style="color: black;">htmlentities</span><span style="color: black;">(</span><span style="color: black;">$_POST</span><span style="color: black;">[</span><span style="color: black;">comment</span><span style="color: black;">]);</span>
      <span style="color: black;">file_put_contents</span><span style="color: black;">(</span><span style="color: black;">comments.txt</span><span style="color: black;">,</span> <span style="color: black;">$comments</span><span style="color: black;">,</span> <span style="color: black;">FILE_APPEND</span><span style="color: black;">);</span>
      <span style="color: black;">}</span>
      <span style="color: black;">?&gt;</span><span style="color: black;">&lt;form action=test.php method=POST&gt;</span><span style="color: black;"> Enter your comments here: &lt;br /&gt;
      </span><span style="color: black;"> &lt;textarea name=comment&gt;&lt;/textarea&gt; &lt;br /&gt;
      </span><span style="color: black;"> &lt;input type=submit value=Post comment /&gt;
      </span><span style="color: black;">&lt;/form&gt;&lt;hr /&gt;&lt;br /&gt;</span><span style="color: black;">&lt;?php echo $comments; ?&gt;
      </span>
    </div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.会话固定</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">会话安全,假设一个PHPSESSID很难猜测。然而,PHP<span style="color: black;">能够</span>接受一个会话ID<span style="color: black;">经过</span>一个Cookie<span style="color: black;">或</span>URL。<span style="color: black;">因此呢</span>,<span style="color: black;">诈骗</span>一个受害者<span style="color: black;">能够</span><span style="color: black;">运用</span>一个特定的(或其他的)会话ID <span style="color: black;">或</span>钓鱼攻击。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">4.会议<span style="color: black;">捕捉</span>或劫持</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这是与会话固定有着<span style="color: black;">一样</span>的想法,然而,它<span style="color: black;">触及</span>窃取会话ID。<span style="color: black;">倘若</span>会话ID存储在Cookie中,攻击者<span style="color: black;">能够</span><span style="color: black;">经过</span>XSS和JavaScript窃取。<span style="color: black;">倘若</span>会话ID<span style="color: black;">包括</span>在URL上,<span style="color: black;">亦</span><span style="color: black;">能够</span><span style="color: black;">经过</span>嗅探<span style="color: black;">或</span>从代理服务器那<span style="color: black;">得到</span>。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">防止会话<span style="color: black;">捕捉</span>和劫持</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1),更新ID</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2),<span style="color: black;">倘若</span><span style="color: black;">运用</span>会话,请<span style="color: black;">保证</span>用户<span style="color: black;">运用</span>SSL</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.跨站请求伪造(CSRF)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">CSRF攻击,<span style="color: black;">指的是</span>一个页面发出的请求,看起来就像是网站的信任用户,但不是故意的。它有许多的变体,<span style="color: black;">例如</span>下面的例子</p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">&lt;</span><span style="color: black;">img</span> <span style="color: black;">src</span><span style="color: black;">=</span><span style="color: black;">./test.php</span><span style="color: black;">&gt;</span>
    </div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">防止跨站点请求伪造</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">一</p>




364463952 发表于 2024-9-9 11:40:33

外链发布社区 http://www.fok120.com/

7wu1wm0 发表于 2024-10-7 19:06:05

太棒了、厉害、为你打call、点赞、非常精彩等。

b1gc8v 发表于 2024-10-19 12:10:55

谢谢、感谢、感恩、辛苦了、有你真好等。

j8typz 发表于 2024-11-9 05:38:11

seo常来的论坛,希望我的网站快点收录。
页: [1]
查看完整版本: 平常的安全性攻击有哪些?