PHP Güvenlik Notları

Transcript

1. 1.

   PHP Güvenlik Notları Friday, November 9, 12

2. 2.

   PHP Güvenlik Notları Kod Okunurluğu PHP Ayarları SQL Injection Cross-site

   Scripting (XSS) Cross-site Request Forgery (CSRF) Friday, November 9, 12
3. 3.

   Kod Okunurluğu Friday, November 9, 12

4. 4.

   PHP Ayarları Her zaman: register_globals = Off allow_url_include, allow_url_fopen error_reporting,

   display_errors, log_errors Friday, November 9, 12
5. 5.

   SQL Injection SELECT * FROM tablo WHERE id = $id

   register_globals = Off mysql_real_escape_string, pg_escape_string, PDO filter_input, filter_var Typecasting (integer) (boolean) (double) (float) addslashes = Yeterli değil! Friday, November 9, 12
6. 6.

   Cross-site Scripting (XSS) include($dosya); echo $kullanicidan_gelen_veri; register_globals = Off allow_url_include

   = Off basename, realpath, preg_match htmlspecialchars, htmlentities, strip_tags Friday, November 9, 12
7. 7.

   Cross-site Request Forgery (CSRF) <img src=”http://adres.com/gonder.php?yorum=Örnek”> Oturum bazlı doğrulayıcı anahtarlar

   (token) $_SERVER[‘HTTP_REFERER’] kontrol Ajax: $_SERVER[‘HTTP_X_REQUESTED_WITH’] kontrol Friday, November 9, 12
8. 8.

   Sorular? Friday, November 9, 12

9. 9.

   PHP ve Web Güvenliği ezber kartları! Friday, November 9, 12

10. 10.

    Teşekkürler! http://php.net/manual/tr/security.php http://shiflett.org/php-security.pdf http://hi.do http://github.com/hdogan Twitter @hdogan Friday, November 9,

    12