Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHP Güvenlik Notları

PHP Güvenlik Notları

XVII. Türkiye'de İnternet Konferansı - Anadolu Üniversitesi, Eskişehir

Hidayet Doğan

November 07, 2012
Tweet

More Decks by Hidayet Doğan

Other Decks in Programming

Transcript

  1. PHP Güvenlik Notları
    Friday, November 9, 12

    View Slide

  2. PHP Güvenlik Notları
    Kod Okunurluğu
    PHP Ayarları
    SQL Injection
    Cross-site Scripting (XSS)
    Cross-site Request Forgery (CSRF)
    Friday, November 9, 12

    View Slide

  3. Kod Okunurluğu
    Friday, November 9, 12

    View Slide

  4. PHP Ayarları
    Her zaman: register_globals = Off
    allow_url_include, allow_url_fopen
    error_reporting, display_errors, log_errors
    Friday, November 9, 12

    View Slide

  5. SQL Injection
    SELECT * FROM tablo WHERE id = $id
    register_globals = Off
    mysql_real_escape_string, pg_escape_string, PDO
    filter_input, filter_var
    Typecasting (integer) (boolean) (double) (float)
    addslashes = Yeterli değil!
    Friday, November 9, 12

    View Slide

  6. Cross-site Scripting (XSS)
    include($dosya);
    echo $kullanicidan_gelen_veri;
    register_globals = Off
    allow_url_include = Off
    basename, realpath, preg_match
    htmlspecialchars, htmlentities, strip_tags
    Friday, November 9, 12

    View Slide

  7. Cross-site Request Forgery
    (CSRF)

    Oturum bazlı doğrulayıcı anahtarlar (token)
    $_SERVER[‘HTTP_REFERER’] kontrol
    Ajax: $_SERVER[‘HTTP_X_REQUESTED_WITH’] kontrol
    Friday, November 9, 12

    View Slide

  8. Sorular?
    Friday, November 9, 12

    View Slide

  9. PHP ve Web
    Güvenliği
    ezber kartları!
    Friday, November 9, 12

    View Slide

  10. Teşekkürler!
    http://php.net/manual/tr/security.php
    http://shiflett.org/php-security.pdf
    http://hi.do
    http://github.com/hdogan
    Twitter @hdogan
    Friday, November 9, 12

    View Slide