XVII. Türkiye'de İnternet Konferansı - Anadolu Üniversitesi, Eskişehir
PHP Güvenlik NotlarıFriday, November 9, 12
View Slide
PHP Güvenlik NotlarıKod OkunurluğuPHP AyarlarıSQL InjectionCross-site Scripting (XSS)Cross-site Request Forgery (CSRF)Friday, November 9, 12
Kod OkunurluğuFriday, November 9, 12
PHP AyarlarıHer zaman: register_globals = Offallow_url_include, allow_url_fopenerror_reporting, display_errors, log_errorsFriday, November 9, 12
SQL InjectionSELECT * FROM tablo WHERE id = $idregister_globals = Offmysql_real_escape_string, pg_escape_string, PDOfilter_input, filter_varTypecasting (integer) (boolean) (double) (float)addslashes = Yeterli değil!Friday, November 9, 12
Cross-site Scripting (XSS)include($dosya);echo $kullanicidan_gelen_veri;register_globals = Offallow_url_include = Offbasename, realpath, preg_matchhtmlspecialchars, htmlentities, strip_tagsFriday, November 9, 12
Cross-site Request Forgery(CSRF)Oturum bazlı doğrulayıcı anahtarlar (token)$_SERVER[‘HTTP_REFERER’] kontrolAjax: $_SERVER[‘HTTP_X_REQUESTED_WITH’] kontrolFriday, November 9, 12
Sorular?Friday, November 9, 12
PHP ve WebGüvenliğiezber kartları!Friday, November 9, 12
Teşekkürler!http://php.net/manual/tr/security.phphttp://shiflett.org/php-security.pdfhttp://hi.dohttp://github.com/hdoganTwitter @hdoganFriday, November 9, 12