PHP安全规范与最佳实践<\/h1>

1. PHP基础安全配置<\/h2>

1.1 敏感配置项<\/h3>
; 不在请求头中泄露PHP信息<\/span>
<\/span><\/span>expose_php<\/span>=<\/span>Off<\/span>
<\/span><\/span>
<\/span><\/span>; 错误处理配置<\/span>
<\/span><\/span>display_errors<\/span>=<\/span>Off<\/span>
<\/span><\/span>display_startup_errors<\/span>=<\/span>off<\/span>
<\/span><\/span>log_errors<\/span>=<\/span>On<\/span>
<\/span><\/span>error_log<\/span>=<\/span>\/var\/log\/httpd\/php_scripts_error.log<\/span>
<\/span><\/span>
<\/span><\/span>; 文件上传配置<\/span>
<\/span><\/span>file_uploads<\/span>=<\/span>On<\/span>
<\/span><\/span>upload_max_filesize<\/span>=<\/span>1M<\/span>
<\/span><\/span>post_max_size<\/span>=<\/span>1M  ; 必须大于upload_max_filesize<\/span>
<\/span><\/span>
<\/span><\/span>; 远程代码执行防护<\/span>
<\/span><\/span>allow_url_fopen<\/span>=<\/span>Off<\/span>
<\/span><\/span>allow_url_include<\/span>=<\/span>Off<\/span>
<\/span><\/span>
<\/span><\/span>; 资源限制<\/span>
<\/span><\/span>max_execution_time<\/span> =<\/span> 30<\/span>
<\/span><\/span>max_input_time<\/span> =<\/span> 30<\/span>
<\/span><\/span>memory_limit<\/span> =<\/span> 40M<\/span>
<\/span><\/span>
<\/span><\/span>; 会话配置<\/span>
<\/span><\/span>session.save_path<\/span>=<\/span>"\/var\/lib\/php\/session"<\/span>
<\/span><\/span><\/code><\/pre>1.2 禁用危险函数<\/h3>
disable_functions<\/span> =<\/span> phpinfo,eval,passthru,assert,exec,system,ini_set,ini_get,get_included_files,get_defined_functions,get_defined_constants,get_defined_vars,glob,``,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocket,fsockopen<\/span>
<\/span><\/span><\/code><\/pre>1.3 文件系统访问限制<\/h3>
open_basedir<\/span>=<\/span>'\/var\/www\/html\/'<\/span>
<\/span><\/span><\/code><\/pre>2. PHP弱类型安全问题<\/h2>
2.1 常见弱类型比较问题<\/h3>
0<\/span>==<\/span>'0'<\/span> \/\/true
<\/span><\/span><\/span><\/span>0<\/span> ==<\/span> 'abcdefg'<\/span> \/\/true
<\/span><\/span><\/span><\/span>1<\/span> ==<\/span> '1abcdef'<\/span> \/\/true
<\/span><\/span><\/span><\/span>null<\/span>==<\/span>false<\/span> \/\/true
<\/span><\/span><\/span><\/span>123<\/span>==<\/span>'123'<\/span> \/\/true
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 哈希比较
<\/span><\/span><\/span><\/span>"0e132456789"<\/span>==<\/span>"0e7124511451155"<\/span> \/\/true
<\/span><\/span><\/span><\/span>"0x1e240"<\/span>==<\/span>"123456"<\/span> \/\/true
<\/span><\/span><\/span><\/span>"0x1e240"<\/span>==<\/span>123456<\/span> \/\/true
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 类型转换
<\/span><\/span><\/span><\/span>var_dump<\/span>(intval<\/span>('2'<\/span>)) \/\/2
<\/span><\/span><\/span><\/span>var_dump<\/span>(intval<\/span>('3abcd'<\/span>)) \/\/3
<\/span><\/span><\/span><\/span>var_dump<\/span>(intval<\/span>('abcd'<\/span>)) \/\/0
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 数组比较
<\/span><\/span><\/span><\/span>var_dump<\/span>(md5<\/span>($array1)==<\/span>var_dump<\/span>($array2)); \/\/true
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ switch比较
<\/span><\/span><\/span><\/span>$i =<\/span>"2abc"<\/span>;
<\/span><\/span>switch<\/span> ($i) {
<\/span><\/span>    case<\/span> 0<\/span>:<\/span>case<\/span> 1<\/span>:<\/span>case<\/span> 2<\/span>:<\/span> 
<\/span><\/span>        echo<\/span> "i is less than 3 but not negative"<\/span>; 
<\/span><\/span>        break<\/span>;
<\/span><\/span>    case<\/span> 3<\/span>:<\/span> echo<\/span> "i is 3"<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ in_array问题
<\/span><\/span><\/span><\/span>$array=<\/span>[0<\/span>,1<\/span>,2<\/span>,'3'<\/span>];
<\/span><\/span>var_dump<\/span>(in_array<\/span>('abc'<\/span>, $array)); \/\/true
<\/span><\/span><\/span><\/span>var_dump<\/span>(in_array<\/span>('1bc'<\/span>, $array)); \/\/true
<\/span><\/span><\/span><\/code><\/pre>3. 常见漏洞防护<\/h2>
3.1 SQL注入防护<\/h3>
不安全示例(Low level):<\/strong><\/p>
$id =<\/span> $_REQUEST['id'<\/span>];
<\/span><\/span>$query =<\/span> "SELECT first_name, last_name FROM users WHERE user_id = '<\/span>$id<\/span>';"<\/span>;
<\/span><\/span>$result =<\/span> mysql_query<\/span>($query);
<\/span><\/span><\/code><\/pre>安全示例(Impossible level):<\/strong><\/p>
\/\/ 检查Anti-CSRF token
<\/span><\/span><\/span><\/span>checkToken<\/span>($_REQUEST['user_token'<\/span>], $_SESSION['session_token'<\/span>], 'index.php'<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 获取并验证输入
<\/span><\/span><\/span><\/span>$id =<\/span> $_GET['id'<\/span>];
<\/span><\/span>if<\/span>(is_numeric<\/span>($id)) {
<\/span><\/span>    \/\/ 使用预处理语句
<\/span><\/span><\/span><\/span>    $data =<\/span> $db-><\/span>prepare<\/span>('SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;'<\/span>);
<\/span><\/span>    $data-><\/span>bindParam<\/span>(':id'<\/span>, $id, PDO<\/span>::<\/span>PARAM_INT<\/span>);
<\/span><\/span>    $data-><\/span>execute<\/span>();
<\/span><\/span>    
<\/span><\/span>    if<\/span>($data-><\/span>rowCount<\/span>() ==<\/span> 1<\/span>) {
<\/span><\/span>        $row =<\/span> $data-><\/span>fetch<\/span>();
<\/span><\/span>        \/\/ 安全输出
<\/span><\/span><\/span><\/span>        echo<\/span> "<pre>ID: <\/span>{<\/span>$id}<\/span><br \/>First name: <\/span>{<\/span>$row['first_name'<\/span>]}<\/span><br \/>Surname: <\/span>{<\/span>$row['last_name'<\/span>]}<\/span><\/pre>"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.2 CSRF防护<\/h3>
不安全示例(Low level):<\/strong><\/p>
if<\/span>(isset<\/span>($_GET['Change'<\/span>])) {
<\/span><\/span>    $pass_new =<\/span> $_GET['password_new'<\/span>];
<\/span><\/span>    $pass_conf =<\/span> $_GET['password_conf'<\/span>];
<\/span><\/span>    if<\/span>($pass_new ==<\/span> $pass_conf) {
<\/span><\/span>        \/\/ 直接修改密码
<\/span><\/span><\/span><\/span>        $insert =<\/span> "UPDATE `users` SET password = '"<\/span>.<\/span>md5<\/span>($pass_new).<\/span>"' WHERE user = '"<\/span>.<\/span>dvwaCurrentUser<\/span>().<\/span>"'"<\/span>;
<\/span><\/span>        mysql_query<\/span>($insert);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>安全示例(Impossible level):<\/strong><\/p>
if<\/span>(isset<\/span>($_POST['Change'<\/span>])) {
<\/span><\/span>    \/\/ 检查Anti-CSRF token
<\/span><\/span><\/span><\/span>    checkToken<\/span>($_REQUEST['user_token'<\/span>], $_SESSION['session_token'<\/span>], 'index.php'<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取输入
<\/span><\/span><\/span><\/span>    $pass_curr =<\/span> $_GET['password_current'<\/span>];
<\/span><\/span>    $pass_new =<\/span> $_GET['password_new'<\/span>];
<\/span><\/span>    $pass_conf =<\/span> $_GET['password_conf'<\/span>];
<\/span><\/span>    
<\/span><\/span>    \/\/ 清理和验证当前密码
<\/span><\/span><\/span><\/span>    $pass_curr =<\/span> stripslashes<\/span>($pass_curr);
<\/span><\/span>    $pass_curr =<\/span> mysql_real_escape_string<\/span>($pass_curr);
<\/span><\/span>    $pass_curr =<\/span> md5<\/span>($pass_curr);
<\/span><\/span>    
<\/span><\/span>    \/\/ 验证当前密码是否正确
<\/span><\/span><\/span><\/span>    $data =<\/span> $db-><\/span>prepare<\/span>('SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;'<\/span>);
<\/span><\/span>    $data-><\/span>bindParam<\/span>(':user'<\/span>, dvwaCurrentUser<\/span>(), PDO<\/span>::<\/span>PARAM_STR<\/span>);
<\/span><\/span>    $data-><\/span>bindParam<\/span>(':password'<\/span>, $pass_curr, PDO<\/span>::<\/span>PARAM_STR<\/span>);
<\/span><\/span>    $data-><\/span>execute<\/span>();
<\/span><\/span>    
<\/span><\/span>    \/\/ 验证新密码和确认密码是否匹配
<\/span><\/span><\/span><\/span>    if<\/span>(($pass_new ==<\/span> $pass_conf) &&<\/span> ($data-><\/span>rowCount<\/span>() ==<\/span> 1<\/span>)) {
<\/span><\/span>        \/\/ 更新密码
<\/span><\/span><\/span><\/span>        $pass_new =<\/span> stripslashes<\/span>($pass_new);
<\/span><\/span>        $pass_new =<\/span> mysql_real_escape_string<\/span>($pass_new);
<\/span><\/span>        $pass_new =<\/span> md5<\/span>($pass_new);
<\/span><\/span>        
<\/span><\/span>        $data =<\/span> $db-><\/span>prepare<\/span>('UPDATE users SET password = (:password) WHERE user = (:user);'<\/span>);
<\/span><\/span>        $data-><\/span>bindParam<\/span>(':password'<\/span>, $pass_new, PDO<\/span>::<\/span>PARAM_STR<\/span>);
<\/span><\/span>        $data-><\/span>bindParam<\/span>(':user'<\/span>, dvwaCurrentUser<\/span>(), PDO<\/span>::<\/span>PARAM_STR<\/span>);
<\/span><\/span>        $data-><\/span>execute<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.3 命令注入防护<\/h3>
不安全示例(Low level):<\/strong><\/p>
$target =<\/span> $_REQUEST['ip'<\/span>];
<\/span><\/span>if<\/span>(stristr<\/span>(php_uname<\/span>('s'<\/span>), 'Windows NT'<\/span>)) {
<\/span><\/span>    $cmd =<\/span> shell_exec<\/span>('ping '<\/span>.<\/span>$target);
<\/span><\/span>} else<\/span> {
<\/span><\/span>    $cmd =<\/span> shell_exec<\/span>('ping -c 4 '<\/span>.<\/span>$target);
<\/span><\/span>}
<\/span><\/span>echo<\/span> "<pre><\/span>{<\/span>$cmd}<\/span><\/pre>"<\/span>;
<\/span><\/span><\/code><\/pre>安全示例(Impossible level):<\/strong><\/p>
\/\/ 检查Anti-CSRF token
<\/span><\/span><\/span><\/span>checkToken<\/span>($_REQUEST['user_token'<\/span>], $_SESSION['session_token'<\/span>], 'index.php'<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 获取并验证IP地址
<\/span><\/span><\/span><\/span>$target =<\/span> $_REQUEST['ip'<\/span>];
<\/span><\/span>$target =<\/span> stripslashes<\/span>($target);
<\/span><\/span>$octet =<\/span> explode<\/span>("."<\/span>, $target);
<\/span><\/span>
<\/span><\/span>if<\/span>((is_numeric<\/span>($octet[0<\/span>])) &&<\/span> (is_numeric<\/span>($octet[1<\/span>])) &&<\/span> 
<\/span><\/span>   (is_numeric<\/span>($octet[2<\/span>])) &&<\/span> (is_numeric<\/span>($octet[3<\/span>])) &&<\/span> 
<\/span><\/span>   (sizeof<\/span>($octet) ==<\/span> 4<\/span>)) {
<\/span><\/span>    \/\/ 重建合法IP
<\/span><\/span><\/span><\/span>    $target =<\/span> $octet[0<\/span>].<\/span>'.'<\/span>.<\/span>$octet[1<\/span>].<\/span>'.'<\/span>.<\/span>$octet[2<\/span>].<\/span>'.'<\/span>.<\/span>$octet[3<\/span>];
<\/span><\/span>    
<\/span><\/span>    \/\/ 执行ping命令
<\/span><\/span><\/span><\/span>    if<\/span>(stristr<\/span>(php_uname<\/span>('s'<\/span>), 'Windows NT'<\/span>)) {
<\/span><\/span>        $cmd =<\/span> shell_exec<\/span>('ping '<\/span>.<\/span>$target);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        $cmd =<\/span> shell_exec<\/span>('ping -c 4 '<\/span>.<\/span>$target);
<\/span><\/span>    }
<\/span><\/span>    echo<\/span> "<pre><\/span>{<\/span>$cmd}<\/span><\/pre>"<\/span>;
<\/span><\/span>} else<\/span> {
<\/span><\/span>    echo<\/span> '<pre>ERROR: You have entered an invalid IP.<\/pre>'<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.4 暴力破解防护<\/h3>
不安全示例(Low level):<\/strong><\/p>
$user =<\/span> $_GET['username'<\/span>];
<\/span><\/span>$pass =<\/span> md5<\/span>($_GET['password'<\/span>]);
<\/span><\/span>$query =<\/span> "SELECT * FROM `users` WHERE user = '<\/span>$user<\/span>' AND password = '<\/span>$pass<\/span>';"<\/span>;
<\/span><\/span>$result =<\/span> mysql_query<\/span>($query);
<\/span><\/span>if<\/span>($result &&<\/span> mysql_num_rows<\/span>($result) ==<\/span> 1<\/span>) {
<\/span><\/span>    \/\/ 登录成功
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>安全示例(Impossible level):<\/strong><\/p>
\/\/ 默认值
<\/span><\/span><\/span><\/span>$total_failed_login =<\/span> 3<\/span>;
<\/span><\/span>$lockout_time =<\/span> 15<\/span>;
<\/span><\/span>$account_locked =<\/span> false<\/span>;
<\/span><\/span>
<\/span><\/span>\/\/ 检查数据库中的失败登录次数
<\/span><\/span><\/span><\/span>$data =<\/span> $db-><\/span>prepare<\/span>('SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;'<\/span>);
<\/span><\/span>$data-><\/span>bindParam<\/span>(':user'<\/span>, $user, PDO<\/span>::<\/span>PARAM_STR<\/span>);
<\/span><\/span>$data-><\/span>execute<\/span>();
<\/span><\/span>$row =<\/span> $data-><\/span>fetch<\/span>();
<\/span><\/span>
<\/span><\/span>\/\/ 检查用户是否被锁定
<\/span><\/span><\/span><\/span>if<\/span>(($data-><\/span>rowCount<\/span>() ==<\/span> 1<\/span>) &&<\/span> ($row['failed_login'<\/span>] >=<\/span> $total_failed_login)) {
<\/span><\/span>    $last_login =<\/span> strtotime<\/span>($row['last_login'<\/span>]);
<\/span><\/span>    $timeout =<\/span> strtotime<\/span>("<\/span>{<\/span>$last_login}<\/span> +<\/span>{<\/span>$lockout_time}<\/span> minutes"<\/span>);
<\/span><\/span>    $timenow =<\/span> strtotime<\/span>("now"<\/span>);
<\/span><\/span>    
<\/span><\/span>    if<\/span>($timenow <<\/span> $timeout) {
<\/span><\/span>        $account_locked =<\/span> true<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 验证用户名和密码
<\/span><\/span><\/span><\/span>$data =<\/span> $db-><\/span>prepare<\/span>('SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;'<\/span>);
<\/span><\/span>$data-><\/span>bindParam<\/span>(':user'<\/span>, $user, PDO<\/span>::<\/span>PARAM_STR<\/span>);
<\/span><\/span>$data-><\/span>bindParam<\/span>(':password'<\/span>, $pass, PDO<\/span>::<\/span>PARAM_STR<\/span>);
<\/span><\/span>$data-><\/span>execute<\/span>();
<\/span><\/span>$row =<\/span> $data-><\/span>fetch<\/span>();
<\/span><\/span>
<\/span><\/span>if<\/span>(($data-><\/span>rowCount<\/span>() ==<\/span> 1<\/span>) &&<\/span> ($account_locked ==<\/span> false<\/span>)) {
<\/span><\/span>    \/\/ 登录成功，重置失败计数
<\/span><\/span><\/span><\/span>    $data =<\/span> $db-><\/span>prepare<\/span>('UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;'<\/span>);
<\/span><\/span>    $data-><\/span>bindParam<\/span>(':user'<\/span>, $user, PDO<\/span>::<\/span>PARAM_STR<\/span>);
<\/span><\/span>    $data-><\/span>execute<\/span>();
<\/span><\/span>} else<\/span> {
<\/span><\/span>    \/\/ 登录失败，增加失败计数
<\/span><\/span><\/span><\/span>    sleep<\/span>(rand<\/span>(2<\/span>, 4<\/span>)); \/\/ 随机延迟
<\/span><\/span><\/span><\/span>    $data =<\/span> $db-><\/span>prepare<\/span>('UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;'<\/span>);
<\/span><\/span>    $data-><\/span>bindParam<\/span>(':user'<\/span>, $user, PDO<\/span>::<\/span>PARAM_STR<\/span>);
<\/span><\/span>    $data-><\/span>execute<\/span>();
<\/span><\/span>    
<\/span><\/span>    \/\/ 更新最后登录时间
<\/span><\/span><\/span><\/span>    $data =<\/span> $db-><\/span>prepare<\/span>('UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;'<\/span>);
<\/span><\/span>    $data-><\/span>bindParam<\/span>(':user'<\/span>, $user, PDO<\/span>::<\/span>PARAM_STR<\/span>);
<\/span><\/span>    $data-><\/span>execute<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.5 文件包含漏洞防护<\/h3>
不安全示例(Low level):<\/strong><\/p>
$file =<\/span> $_GET['page'<\/span>];
<\/span><\/span>include<\/span>($file);
<\/span><\/span><\/code><\/pre>安全示例(Impossible level):<\/strong><\/p>
$file =<\/span> $_GET['page'<\/span>];
<\/span><\/span>\/\/ 只允许包含特定文件
<\/span><\/span><\/span><\/span>if<\/span>($file !=<\/span> "include.php"<\/span> &&<\/span> $file !=<\/span> "file1.php"<\/span> &&<\/span> $file !=<\/span> "file2.php"<\/span> &&<\/span> $file !=<\/span> "file3.php"<\/span>) {
<\/span><\/span>    echo<\/span> "ERROR: File not found!"<\/span>;
<\/span><\/span>    exit<\/span>;
<\/span><\/span>}
<\/span><\/span>include<\/span>($file);
<\/span><\/span><\/code><\/pre>3.6 文件上传漏洞防护<\/h3>
不安全示例(Low level):<\/strong><\/p>
$target_path =<\/span> "uploads\/"<\/span>;
<\/span><\/span>$target_path .=<\/span> basename<\/span>($_FILES['uploaded'<\/span>]['name'<\/span>]);
<\/span><\/span>move_uploaded_file<\/span>($_FILES['uploaded'<\/span>]['tmp_name'<\/span>], $target_path);
<\/span><\/span><\/code><\/pre>安全示例(Impossible level):<\/strong><\/p>
\/\/ 检查Anti-CSRF token
<\/span><\/span><\/span><\/span>checkToken<\/span>($_REQUEST['user_token'<\/span>], $_SESSION['session_token'<\/span>], 'index.php'<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 文件信息
<\/span><\/span><\/span><\/span>$uploaded_name =<\/span> $_FILES['uploaded'<\/span>]['name'<\/span>];
<\/span><\/span>$uploaded_ext =<\/span> substr<\/span>($uploaded_name, strrpos<\/span>($uploaded_name, '.'<\/span>) +<\/span> 1<\/span>);
<\/span><\/span>$uploaded_size =<\/span> $_FILES['uploaded'<\/span>]['size'<\/span>];
<\/span><\/span>$uploaded_type =<\/span> $_FILES['uploaded'<\/span>]['type'<\/span>];
<\/span><\/span>$uploaded_tmp =<\/span> $_FILES['uploaded'<\/span>]['tmp_name'<\/span>];
<\/span><\/span>
<\/span><\/span>\/\/ 目标路径
<\/span><\/span><\/span><\/span>$target_path =<\/span> 'uploads\/'<\/span>;
<\/span><\/span>$target_file =<\/span> md5<\/span>(uniqid<\/span>() .<\/span> $uploaded_name) .<\/span> '.'<\/span> .<\/span> $uploaded_ext;
<\/span><\/span>
<\/span><\/span>\/\/ 验证文件类型和大小
<\/span><\/span><\/span><\/span>if<\/span>((strtolower<\/span>($uploaded_ext) ==<\/span> 'jpg'<\/span> ||<\/span> strtolower<\/span>($uploaded_ext) ==<\/span> 'jpeg'<\/span> ||<\/span> strtolower<\/span>($uploaded_ext) ==<\/span> 'png'<\/span>) &&<\/span>
<\/span><\/span>   ($uploaded_size <<\/span> 100000<\/span>) &&<\/span>
<\/span><\/span>   ($uploaded_type ==<\/span> 'image\/jpeg'<\/span> ||<\/span> $uploaded_type ==<\/span> 'image\/png'<\/span>) &&<\/span>
<\/span><\/span>   getimagesize<\/span>($uploaded_tmp)) {
<\/span><\/span>    
<\/span><\/span>    \/\/ 重新编码图像以去除元数据
<\/span><\/span><\/span><\/span>    if<\/span>($uploaded_type ==<\/span> 'image\/jpeg'<\/span>) {
<\/span><\/span>        $img =<\/span> imagecreatefromjpeg<\/span>($uploaded_tmp);
<\/span><\/span>        imagejpeg<\/span>($img, $temp_file, 100<\/span>);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        $img =<\/span> imagecreatefrompng<\/span>($uploaded_tmp);
<\/span><\/span>        imagepng<\/span>($img, $temp_file, 9<\/span>);
<\/span><\/span>    }
<\/span><\/span>    imagedestroy<\/span>($img);
<\/span><\/span>    
<\/span><\/span>    \/\/ 移动文件
<\/span><\/span><\/span><\/span>    if<\/span>(rename<\/span>($temp_file, $target_path .<\/span> $target_file)) {
<\/span><\/span>        echo<\/span> "<pre><a href='<\/span>{<\/span>$target_path}{<\/span>$target_file}<\/span>'><\/span>{<\/span>$target_file}<\/span><\/a> succesfully uploaded!<\/pre>"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.7 XSS防护<\/h3>
反射型XSS不安全示例(Low level):<\/strong><\/p>
echo<\/span> '<pre>Hello '<\/span> .<\/span> $_GET['name'<\/span>] .<\/span> '<\/pre>'<\/span>;
<\/span><\/span><\/code><\/pre>存储型XSS安全示例(Impossible level):<\/strong><\/p>
\/\/ 检查Anti-CSRF token
<\/span><\/span><\/span><\/span>checkToken<\/span>($_REQUEST['user_token'<\/span>], $_SESSION['session_token'<\/span>], 'index.php'<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 获取并清理输入
<\/span><\/span><\/span><\/span>$message =<\/span> trim<\/span>($_POST['mtxMessage'<\/span>]);
<\/span><\/span>$name =<\/span> trim<\/span>($_POST['txtName'<\/span>]);
<\/span><\/span>
<\/span><\/span>\/\/ 清理消息输入
<\/span><\/span><\/span><\/span>$message =<\/span> stripslashes<\/span>($message);
<\/span><\/span>$message =<\/span> mysql_real_escape_string<\/span>($message);
<\/span><\/span>$message =<\/span> htmlspecialchars<\/span>($message);
<\/span><\/span>
<\/span><\/span>\/\/ 清理名称输入
<\/span><\/span><\/span><\/span>$name =<\/span> stripslashes<\/span>($name);
<\/span><\/span>$name =<\/span> mysql_real_escape_string<\/span>($name);
<\/span><\/span>$name =<\/span> htmlspecialchars<\/span>($name);
<\/span><\/span>
<\/span><\/span>\/\/ 使用预处理语句插入数据库
<\/span><\/span><\/span><\/span>$data =<\/span> $db-><\/span>prepare<\/span>('INSERT INTO guestbook (comment, name) VALUES (:message, :name);'<\/span>);
<\/span><\/span>$data-><\/span>bindParam<\/span>(':message'<\/span>, $message, PDO<\/span>::<\/span>PARAM_STR<\/span>);
<\/span><\/span>$data-><\/span>bindParam<\/span>(':name'<\/span>, $name, PDO<\/span>::<\/span>PARAM_STR<\/span>);
<\/span><\/span>$data-><\/span>execute<\/span>();
<\/span><\/span><\/code><\/pre>4. PHP伪协议<\/h2>
PHP支持多种伪协议，可能被用于攻击：<\/p>

file:\/\/\/var\/www\/html<\/code> - 访问本地文件系统<\/li>
ftp:\/\/<login>:<password>@<ftpserveraddress><\/code> - 访问FTP(s) URLs<\/li>
data:\/\/<\/code> - 数据流<\/li>
http:\/\/<\/code> - 访问HTTP(s) URLs<\/li>
php:\/\/<\/code> - 访问各个输入\/输出流<\/li>
zlib:\/\/<\/code> - 压缩流<\/li>
data:\/\/<\/code> - Data (RFC 2397)<\/li>
glob:\/\/<\/code> - 查找匹配的文件路径模式<\/li>
phar:\/\/<\/code> - PHP Archives<\/li>
sh2:\/\/<\/code> - Secure Shell 2<\/li>
rar:\/\/<\/code> - RAR<\/li>
ogg:\/\/<\/code> - Audio streams<\/li>
expect:\/\/<\/code> - 处理交互式的流<\/li>
<\/ul>
5. 安全开发建议<\/h2>

永远不要信任用户输入<\/strong>：所有用户输入都应被视为不可信的，必须进行验证和过滤<\/li>
使用预处理语句<\/strong>：防止SQL注入的最有效方法<\/li>
实施CSRF防护<\/strong>：为所有敏感操作使用Anti-CSRF token<\/li>
安全的会话管理<\/strong>：使用安全的会话配置和适当的会话超时<\/li>
安全的文件处理<\/strong>：限制文件系统访问，安全处理文件上传<\/li>
安全的错误处理<\/strong>：生产环境中不应显示详细错误信息<\/li>
使用最新版本的PHP<\/strong>：保持PHP版本更新以获取安全修复<\/li>
禁用危险函数<\/strong>：通过php.ini禁用不必要的危险函数<\/li>
实施适当的访问控制<\/strong>：确保用户只能访问他们被授权的资源<\/li>
安全的密码存储<\/strong>：使用强哈希算法如bcrypt存储密码<\/li>
<\/ol>
通过遵循这些安全规范和最佳实践，可以显著提高PHP应用程序的安全性，减少常见漏洞的风险。<\/p>