PHP: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Geist (Diskussion | Beiträge) |
Geist (Diskussion | Beiträge) |
||
| (20 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
| − | === Secure "included php files" === | + | ==== Secure "included php files" ==== |
'''index.php''' | '''index.php''' | ||
<?php | <?php | ||
| Zeile 10: | Zeile 10: | ||
if((!defined("z"))){exit;} | if((!defined("z"))){exit;} | ||
?> | ?> | ||
| + | |||
| + | [https://github.com/HackBugZ/PHP-SECURE-INCLUDE-FILE HackBugZ | PHP-SECURE-INCLUDE-FILE] | ||
| + | |||
| + | ===== f611e2d0c2b292bce687e6c090956d63e396124abc17c2a2fa662c7ff6118ef2b43388c9d007cd2fadcad7d7952e6f855826028d58e5b1edd7264b2797996381 ===== | ||
| + | [https://github.com/blockchainoffice/php-hackbugz/projects/ Secure php dynamic code build.] | ||
| + | |||
| + | ==== $_GET[] | Query Navigation ==== | ||
| + | '''Example 1''' | ||
| + | <?php | ||
| + | $PAGES = array(); | ||
| + | $PAGES = [ | ||
| + | 'home' => 'home.html' | ||
| + | ,'about' => 'about.php' | ||
| + | ,'contact' => 'somedir/contact.php' | ||
| + | ]; | ||
| + | @include(substr($PAGES[$_GET['p']] ?? ('home'), 0, 255)); | ||
| + | exit; | ||
| + | ?> | ||
| + | |||
| + | '''Example 2''' | ||
| + | |||
| + | <?php | ||
| + | $PAGES = array(); | ||
| + | $PAGES = [ | ||
| + | 'home' => 'home.html' | ||
| + | ,'about' => 'about.php' | ||
| + | ,'contact' => 'somedir/contact.php' | ||
| + | ]; | ||
| + | @include($PAGES[$_GET['p']] ?? ('home')); | ||
| + | exit; | ||
| + | ?> | ||
| + | |||
| + | '''CHANGE MAX UPLOAD FILESIZE ''' | ||
| + | |||
| + | You can try it with .user.ini or .htaccess or ini_set(in your php script) | ||
| + | For me .user.ini works perfectly | ||
| + | |||
| + | 1. Create a new file(0644 on Linux) .user.ini on your webspace/working dir with | ||
| + | max_execution_time = 10000 | ||
| + | upload_max_filesize = 5000M | ||
| + | post_max_size = 5000M | ||
| + | |||
| + | This is my config file .user.ini on my webspace and it works. | ||
| + | You can change the values to your needs. | ||
| + | |||
| + | 2. Create a new file(0644 on Linux) .htaccess on your webspace/working dir with | ||
| + | php_value upload_max_filesize 1000M | ||
| + | php_value post_max_size 1000M | ||
| + | ! Don't forget the first dot/point at the beginning of the file. | ||
| + | |||
| + | 3. Put this on the beginning of your php script | ||
| + | ini_set('upload_max_filesize', '1000M'); | ||
| + | ini_set('max_execution_time', '1000'); | ||
| + | ini_set('memory_limit', '128M'); | ||
| + | ini_set('post_max_size', '1000M'); | ||
| + | |||
| + | If this won't work(and you can't modify php.ini) than call your webhoster and ask him, what you can do :) | ||
| + | |||
| + | '''CHECK FOR DUPLICATE FILE WITH''' | ||
| + | |||
| + | '''$ sha1_file($file)''' | ||
| + | |||
| + | '''$ md5_file($file)''' | ||
| + | |||
| + | '''$ file_get_contents($file)''' | ||
| + | |||
| + | [https://stackoverflow.com/questions/2293902/is-sha-sufficient-for-checking-file-duplication-sha1-file-in-php Is SHA sufficient for checking file duplication? (sha1_file in PHP)] | ||
| + | |||
| + | ==== GET PATH OR FILE URL ==== | ||
| + | ''' echo __DIR__; ''' | ||
| + | ''' echo __FILE__; ''' | ||
| + | |||
| + | ==== ternary operator ==== | ||
| + | php short if/else | ||
| + | [https://davidwalsh.name/php-ternary-examples PHP Shorthand If / Else Examples] | ||
| + | [https://stitcher.io/blog/shorthand-comparisons-in-php Shorthand comparisons in PHP] | ||
| + | |||
| + | ==== PHP ERROR HANDLING IN SCRIPT ==== | ||
| + | [https://www.php.net/manual/en/language.exceptions.php Exceptions] | ||
| + | ''' try{}''' | ||
| + | ''' catch{}''' | ||
| + | ''' finally{}''' | ||
| + | [https://www.php.net/manual/de/errorfunc.configuration.php#ini.error-reporting Laufzeit-Konfiguration] | ||
| + | |||
| + | ==== prevent code injection attacks in PHP ==== | ||
| + | |||
| + | mysql_real_escape_string used when insert into database | ||
| + | htmlentities() used when outputting data into webpage | ||
| + | htmlspecialchars() used when? | ||
| + | strip_tags() used when? | ||
| + | addslashes() used when? | ||
| + | |||
| + | htmlspecialchars() used when? | ||
| + | [https://www.php.net/manual/de/function.htmlspecialchars.php htmlspecialchars] | ||
| + | |||
| + | htmlspecialchars is roughly the same as htmlentities. The difference: character encodings. | ||
| + | |||
| + | Both encode control characters like <, >, & and so on used for opening tags etc. htmlentities also encode chars from other languages like umlauts, euro-symbols and such. If your websites are UTF, use htmlspecialchars(), otherwise use htmlentities(). | ||
| + | [https://stackoverflow.com/questions/1205889/how-to-prevent-code-injection-attacks-in-php How to prevent code injection attacks in PHP?] | ||
| + | |||
| + | ==== ALL POST DATA PHP ==== | ||
| + | |||
| + | '''foreach ($_POST as $key => $value) {''' | ||
| + | ''' echo "Field ".htmlspecialchars($key)." is ".htmlspecialchars($value);''' | ||
| + | ''' }''' | ||
| + | |||
| + | [https://stackoverflow.com/questions/6334830/php-possible-to-automatically-get-all-posted-data PHP: Possible to automatically get all POSTed data?] | ||
| + | |||
| + | ==== How can I prevent SQL injection in PHP? ==== | ||
| + | |||
| + | [https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php How can I prevent SQL injection in PHP?] | ||
| + | |||
| + | ==== SETCOOKIE WITH PHP AND CHECK|READ ==== | ||
| + | |||
| + | https://stackoverflow.com/a/73766732/15125291 | ||
| + | |||
| + | ==== UNSET|DELETE COOKIE WITH ==== | ||
| + | |||
| + | https://stackoverflow.com/a/73826189/15125291 | ||
Aktuelle Version vom 23. September 2022, 11:23 Uhr
Inhaltsverzeichnis
Secure "included php files"
index.php
<?php
if((!defined('z'))){ define('z','0'); }
include('file.php')
?>
file.php
<?php
if((!defined("z"))){exit;}
?>
HackBugZ | PHP-SECURE-INCLUDE-FILE
f611e2d0c2b292bce687e6c090956d63e396124abc17c2a2fa662c7ff6118ef2b43388c9d007cd2fadcad7d7952e6f855826028d58e5b1edd7264b2797996381
Secure php dynamic code build.
Example 1
<?php
$PAGES = array();
$PAGES = [
'home' => 'home.html'
,'about' => 'about.php'
,'contact' => 'somedir/contact.php'
];
@include(substr($PAGES[$_GET['p']] ?? ('home'), 0, 255));
exit;
?>
Example 2
<?php
$PAGES = array();
$PAGES = [
'home' => 'home.html'
,'about' => 'about.php'
,'contact' => 'somedir/contact.php'
];
@include($PAGES[$_GET['p']] ?? ('home'));
exit;
?>
CHANGE MAX UPLOAD FILESIZE
You can try it with .user.ini or .htaccess or ini_set(in your php script) For me .user.ini works perfectly
1. Create a new file(0644 on Linux) .user.ini on your webspace/working dir with max_execution_time = 10000 upload_max_filesize = 5000M post_max_size = 5000M
This is my config file .user.ini on my webspace and it works. You can change the values to your needs.
2. Create a new file(0644 on Linux) .htaccess on your webspace/working dir with php_value upload_max_filesize 1000M php_value post_max_size 1000M ! Don't forget the first dot/point at the beginning of the file.
3. Put this on the beginning of your php script
ini_set('upload_max_filesize', '1000M');
ini_set('max_execution_time', '1000');
ini_set('memory_limit', '128M');
ini_set('post_max_size', '1000M');
If this won't work(and you can't modify php.ini) than call your webhoster and ask him, what you can do :)
CHECK FOR DUPLICATE FILE WITH
$ sha1_file($file)
$ md5_file($file)
$ file_get_contents($file) Is SHA sufficient for checking file duplication? (sha1_file in PHP)
GET PATH OR FILE URL
echo __DIR__; echo __FILE__;
ternary operator
php short if/else PHP Shorthand If / Else Examples Shorthand comparisons in PHP
PHP ERROR HANDLING IN SCRIPT
Exceptions try{} catch{} finally{} Laufzeit-Konfiguration
prevent code injection attacks in PHP
mysql_real_escape_string used when insert into database htmlentities() used when outputting data into webpage htmlspecialchars() used when? strip_tags() used when? addslashes() used when?
htmlspecialchars() used when? htmlspecialchars
htmlspecialchars is roughly the same as htmlentities. The difference: character encodings.
Both encode control characters like <, >, & and so on used for opening tags etc. htmlentities also encode chars from other languages like umlauts, euro-symbols and such. If your websites are UTF, use htmlspecialchars(), otherwise use htmlentities(). How to prevent code injection attacks in PHP?
ALL POST DATA PHP
foreach ($_POST as $key => $value) {
echo "Field ".htmlspecialchars($key)." is ".htmlspecialchars($value);
}
PHP: Possible to automatically get all POSTed data?
How can I prevent SQL injection in PHP?
How can I prevent SQL injection in PHP?
SETCOOKIE WITH PHP AND CHECK|READ
https://stackoverflow.com/a/73766732/15125291
UNSET|DELETE COOKIE WITH
https://stackoverflow.com/a/73826189/15125291