PHP Güvenlik Notları

Transcript

1. PHP Güvenlik Notları Friday, November 9, 12

2. PHP Güvenlik Notları Kod Okunurluğu PHP Ayarları SQL Injection Cross-site

   Scripting (XSS) Cross-site Request Forgery (CSRF) Friday, November 9, 12

3. Kod Okunurluğu Friday, November 9, 12

4. PHP Ayarları Her zaman: register_globals = Off allow_url_include, allow_url_fopen error_reporting,

   display_errors, log_errors Friday, November 9, 12

5. SQL Injection SELECT * FROM tablo WHERE id = $id

   register_globals = Off mysql_real_escape_string, pg_escape_string, PDO filter_input, filter_var Typecasting (integer) (boolean) (double) (float) addslashes = Yeterli değil! Friday, November 9, 12

6. Cross-site Scripting (XSS) include($dosya); echo $kullanicidan_gelen_veri; register_globals = Off allow_url_include

   = Off basename, realpath, preg_match htmlspecialchars, htmlentities, strip_tags Friday, November 9, 12

7. Cross-site Request Forgery (CSRF) <img src=”http://adres.com/gonder.php?yorum=Örnek”> Oturum bazlı doğrulayıcı anahtarlar

   (token) $_SERVER[‘HTTP_REFERER’] kontrol Ajax: $_SERVER[‘HTTP_X_REQUESTED_WITH’] kontrol Friday, November 9, 12

8. Sorular? Friday, November 9, 12

9. PHP ve Web Güvenliği ezber kartları! Friday, November 9, 12

10. Teşekkürler! http://php.net/manual/tr/security.php http://shiflett.org/php-security.pdf http://hi.do http://github.com/hdogan Twitter @hdogan Friday, November 9,

    12