如何修复会话固定漏洞_PHP安全漏洞：会话劫持，跨站点脚本，SQL注入以及如何修复它们...

如何修复会话固定漏洞

PHP中的安全性 (Security in PHP)

When writing PHP code it is very important to keep the following security vulnerabilities in mind to avoid writing insecure code.

在编写PHP代码时，记住以下安全漏洞非常重要，以避免编写不安全的代码。

漏洞类型 (Types Of Vulnerabilities)

These are the common vulnerabilities you'll encounter when writing PHP code. We'll discuss a few in further depth below.

这些是编写PHP代码时会遇到的常见漏洞。我们将在下面进一步深入讨论。

Cross Site Request Forgery A vulnerability in the application caused by the programmer not checking where a request was sent from - this attack is sent to a high privilege level user to gain higher level access to the application.
跨站点请求伪造程序员未检查发送请求的位置而在应用程序中引起的漏洞-该攻击被发送给高特权级别的用户，以获得对应用程序的更高级别的访问权限。
Cross Site Scripting A vulnerability in the application caused by the programmer not sanitizing input before outputting the input to the browser (for example a comment on a blog). It is commonly used to run malicious javascript in the browser to do attacks such as stealing session cookies among other malicious actions to gain higher level privileges in the application.
跨站点脚本(cross site Scripting)应用程序中的一个漏洞，是由程序员在将输入输出到浏览器之前未对输入进行消毒(例如，对博客的评论)。它通常用于在浏览器中运行恶意javascript进行攻击，例如在其他恶意操作中窃取会话cookie，以在应用程序中获得更高级别的特权。
Local File Inclusion A vulnerability in the application caused by the programmer requiring a file input provided by the user and not sanitizing the input before accessing the requested file. This results in a file being included where it should not of been.
包含本地文件由程序员要求用户提供文件输入并且在访问请求的文件之前不清除输入内容导致的应用程序中的漏洞。这将导致文件不应包含在其中。
Remote File Inclusion A vulnerability in the application caused by the programmer requiring a file input provided by the user and not sanitizing the input before accessing the requested file. This results in a file being pulled from a remote server and included where it should not of been.
远程文件包含由程序员引起的应用程序中的此漏洞，要求程序员提供用户提供的文件输入，并且在访问请求的文件之前不清除输入。这将导致文件从远程服务器中拉出，并包含在不应包含的位置。
Session Hijacking A vulnerability caused by an attacker gaining access to a user’s session identifier and being able to use another user’s account impersonating them. This is often used to gain access to an administrative user’s account.
会话劫持(Session Hijacking)由攻击者获得对用户会话标识符的访问权，并能够使用其他用户的帐户来模拟它们的漏洞。这通常用于获得对管理用户帐户的访问权限。
Session Identifier Acquirement Session Identifier Acquirement is a vulnerability caused by an attacker being able to either guess the session identifier of a user or exploit vulnerabilities in the application itself or the user’s browser to obtain a session identifier.
会话标识符获取会话标识符获取是由攻击者能够猜测用户的会话标识符或利用应用程序本身或用户的浏览器中的漏洞获取会话标识符所引起的漏洞。
SQL Injection A vulnerability in the application caused by the programmer not sanitizing input before including it into a query into the database. This leads to the attacker having full read and more often than not write access to the database. With this type of access an attacker can do very bad things.
SQL注入SQL注入是应用程序中的一个漏洞，由程序员在将输入包含到数据库中的查询之前未对输入进行清理。这导致攻击者具有对数据库的完全读取权限，并且经常具有对数据库的不写入权限。通过这种访问方式，攻击者可以做非常坏的事情。

Now let's look at some common vulnerabilities in more detail.

现在，让我们更详细地研究一些常见漏洞。

会话劫持 (Session Hijacking)

Session Hijacking is a vulnerability caused by an attacker gaining access to a user’s session identifier and being able to use another user’s account impersonating them. This is often used to gain access to an administrative user’s account.

会话劫持是由攻击者获得对用户会话标识符的访问权，并能够使用其他用户的帐户来模拟它们的漏洞。这通常用于获得对管理用户帐户的访问权限。

防御PHP中的会话劫持攻击 (Defending against Session Hijacking attacks in PHP)

To defend against Session Hijacking attacks you need to check the current user’s browser and location information against information stored about the session. Below is an example implementation that can help mitigate the effects of a session hijacking attack. It checks the IP Address, User Agent, and if the Session Expired removing a session before it’s resumed.

为了防御会话劫持攻击，您需要根据存储的有关会话的信息检查当前用户的浏览器和位置信息。下面是一个示例实现，可以帮助减轻会话劫持攻击的影响。它会检查IP地址，用户代理以及会话是否过期，然后再恢复会话。

<?php
session_start();// Does IP Address match?
if ($_SERVER['REMOTE_ADDR'] != $_SESSION['ipaddress'])
{
session_unset();
session_destroy();
}// Does user agent match?
if ($_SERVER['HTTP_USER_AGENT'] != $_SESSION['useragent'])
{session_unset();session_destroy();
}// Is the last access over an hour ago?
if (time() > ($_SESSION['lastaccess'] + 3600))
{session_unset();session_destroy();
}
else
{$_SESSION['lastaccess'] = time();
}

跨站脚本 (Cross Site Scripting)

Cross Site Scripting is a type of vulnerability in a web application caused by the programmer not sanitizing input before outputting the input to the web browser (for example a comment on a blog). It is commonly used to run malicious javascript in the web browser to do attacks such as stealing session cookies among other malicious actions to gain higher level privileges in the web application.

跨站点脚本是Web应用程序中的一种漏洞，它是由程序员在将输入输出到Web浏览器(例如，对博客的评论)之前未清理输入而引起的。它通常用于在Web浏览器中运行恶意javascript进行攻击，例如在其他恶意操作中窃取会话cookie，以在Web应用程序中获得更高级别的特权。

跨站点脚本攻击示例 (Example Cross Site Scripting Attack)

A blog allows users to style their comments with HTML tags, however the script powering the blog does not strip out <script> tags allowing any user to run javascript on the page. An attacker can use this to their advantage to run malicious javascript in the browser. They could infect users with malware, steal session cookies, and more.

博客允许用户使用HTML标记来设置其注释样式，但是为博客提供动力的脚本不会删除<script>标记，允许任何用户在页面上运行javascript。攻击者可以利用此漏洞来在浏览器中运行恶意javascript。他们可能用恶意软件感染用户，窃取会话Cookie等。

<script>alert('Cross Site Scripting!');
</script>

防御PHP中的跨站点脚本攻击的网站 (Defending your website from cross site scripting attacks in PHP)

In PHP there are two primary functions, htmlspecialchars() and strip_tags(), built in to protect yourself from cross site scripting attacks.

在PHP中，内置了两个主要函数htmlspecialchars()和strip_tags() ，以保护自己免受跨站点脚本攻击。

The htmlspecialchars($string) function will prevent an HTML string from rendering as HTML and display it as plain text to the web browser. htmlspecialchars() code example

htmlspecialchars($string)函数将阻止HTML字符串呈现为HTML，并将其显示为纯文本格式到Web浏览器。 htmlspecialchars()代码示例

<?php
$usercomment = "<string>alert('Cross Site Scripting!');</script>";
echo htmlspecialchars($usercomment);

The other approach is the strip_tags($string, $allowedtags) function which removes all HTML tags except for the HTML tags that you’ve whitelisted. It’s important to note that with the strip_tags() function you have to be more careful, this function does not prevent the user from including javascript as a link, you’ll have to sanitize that on our own.

另一种方法是strip_tags($string, $allowedtags)函数，该函数将删除所有HTML标记(已列入白名单HTML标记)。需要特别注意的是，使用strip_tags()函数时，您必须格外小心，该函数不会阻止用户将javascript作为链接包含进来，您必须自己对其进行清理。

strip_tags() code example

strip_tags()代码示例

<?php
$usercomment = "<string>alert('Cross Site Scripting!');</script>";
$allowedtags = "<p><a><h1><h2><h3>";
echo strip_tags($usercomment, $allowedtags);

Setting the X-XSS-Protection Header:

设置X-XSS-Protection标头：

In PHP you can send the X-XSS-Protection Header which will tell browsers to check for a reflected Cross Site Scripting attack and block the page from loading. This does not prevent all cross site scripting attacks only reflected ones and should be used in combination with other methods.

在PHP中，您可以发送X-XSS-Protection标头，该标头将告诉浏览器检查是否反映了跨站点脚本攻击，并阻止页面加载。这不能防止所有跨站点脚本攻击仅反映出来，而应与其他方法结合使用。

<?php
header("X-XSS-Protection: 1; mode=block");

Writing your own sanitization function Another option, if you would like more control over how the sanitization works, is to write your own HTML Sanitization function, this is not recommended for PHP Beginners as a mistake would make your website vulnerable.

编写自己的清理功能如果要对清理的工作方式进行更多控制，另一种选择是编写自己HTML清理功能，PHP初学者不建议这样做，因为这样会使您的网站容易受到攻击。

使用内容安全策略保护您的网站免受跨站点脚本攻击 (Defending your website from cross site scripting attacks with a Content Security Policy)

An effective approach to preventing cross site scripting attacks, which may require a lot of adjustments to your web application’s design and code base, is to use a content security policy.

防止跨站点脚本攻击的一种有效方法是使用内容安全策略，这种攻击可能需要对Web应用程序的设计和代码库进行大量调整。

将内容安全策略设置为HTTP标头 (Set a Content Security Policy as an HTTP Header)

The most common way of setting a Content Security Policy is by setting it directly in the HTTP Header. This can be done by the web server by editing it’s configuration or by sending it through PHP.

设置内容安全策略的最常见方法是直接在HTTP标头中进行设置。这可以由Web服务器通过编辑其配置或通过PHP发送来完成。

Example of a Content Security Policy set in a HTTP Header

HTTP标头中设置的内容安全策略的示例

<?php
header("content-security-policy: default-src 'self'; img-src https://*; child-src 'none';");

将内容安全策略设置为元标记 (Set a Content Security Policy as a Meta tags)

You can include your Content Security Policy in the page’s HTML and set on a page by page basis. This method requires you to set on every page or you lose the benefit of the policy.

您可以将内容安全策略包含在页面HTML中，并逐页进行设置。此方法要求您在每个页面上进行设置，否则您将失去使用该策略的好处。

Example of a Content Security Policy set in a HTML Meta Tag

在HTML元标记中设置的内容安全策略的示例

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-s

SQL注入 (SQL Injection)

SQL injection is a vulnerability in the application caused by the programmer not sanitizing input before including it into a query into the database. This leads to the attacker having full read and more often than not write access to the database. With this type of access an attacker can do very bad things.

SQL注入是应用程序中的一个漏洞，它是由程序员在将输入包含到数据库中的查询之前没有对输入进行清理而引起的。这导致攻击者具有对数据库的完全读取权限，并且经常具有对数据库的不写入权限。通过这种访问方式，攻击者可以做非常坏的事情。

示例SQL注入攻击 (Example SQL Injection attack)

The below PHP Script runs an SQL Statement to get a user’s email by ID. However the input is not sanitized making it vulnerable to SQL Injection

下面PHP脚本运行一个SQL语句，以按ID获取用户的电子邮件。但是，输入没有经过清理，因此容易受到SQL注入的攻击

<?php
$input = $_GET['id'];
$dbserver = "localhost";
$dbuser = "camper";
$dbpass = "supersecretcampsitepassword";
$dbname = "freecodecamp";$conn = new mysqli($dbserver, $dbuser, $dbpass, $dbname);if ($conn->connect_error) {die("Connection failed: " . $conn->connect_error);
}$sql = "SELECT email FROM users WHERE id =" . $input;$result = $conn->query($sql);if ($result->num_rows > 0) {while($row = $result->fetch_assoc()) {echo $row["email"];}
} else {echo "no results";
}$conn->close();

SELECT email FROM users WHERE id = `$input`;

So with the above the input is not type casted (I.e. casting the input with (int) so only a number is allowed) nor escaped allowing someone to perform an SQL Injection attack - for example the URL getemailbyuserid.php?id=1'; My Query Here-- - would allow you to run arbitrary SQL queries with little effort.

因此，使用上面的方法，不会对输入进行类型转换(即，使用(int)转换输入，因此只允许输入数字)，也无法进行转义以允许某人执行SQL注入攻击-例如URL getemailbyuserid.php?id=1'; My Query Here-- - getemailbyuserid.php?id=1'; My Query Here-- -允许您getemailbyuserid.php?id=1'; My Query Here-- -运行任意SQL查询。

保护您的网站免受PHP中SQL注入攻击 (Defending your website from sql injection attacks in PHP)

There are a few approaches to defend your website from SQL Injection Attacks. These approaches are Whitelisting, Type Casting, and Character Escaping

有几种方法可以保护您的网站免受SQL Injection Attacks的攻击。这些方法是白名单，类型转换和字符转义

Whitelisting: The whitelisting approach is used in cases where only a few inputs are expected. You can list each expected input in a PHP Switch and then have a default for invalid input. You do not have to worry about a type casting issue or a character escape bypass but the allowed input is extreamly limited. It remains an option, see the example below.

白名单：白名单方法用于只需要少量输入的情况。您可以在PHP Switch中列出每个期望的输入，然后为无效输入提供默认值。您不必担心类型转换问题或字符转义旁路，但是允许的输入受到极大限制。它仍然是一个选项，请参见下面的示例。

<?php
switch ($input) {case "1"://db query 1break;case "2"://db query 2break;default:// invalid input return error
}

Type Casting: The type casting approach is commonly used for an application using numeric input. Simply cast the input with (int) $input and only a numeric value will be allowed.

类型转换：类型转换方法通常用于使用数字输入的应用程序。只需使用(int) $input ，将只允许使用数字值。

Character Escaping: The character escaping approach will escape characters such as quotes and slashes provided by the user to prevent an attack. If you are using MySQL Server and the MySQLi library to access your database, the mysqli_real_escape_string($conn, $string) function will take two arguments, the MySQLi connection, and the string and will properly escape the user’s input to block an sql injection attack. The exact function you use depends on the database type and php library you are using check the php library’s documentation for more information on escaping user input.

字符转义：字符转义方法将转义用户提供的引号和斜杠等字符，以防止攻击。如果使用MySQL Server和MySQLi库访问数据库，则mysqli_real_escape_string($conn, $string)函数将使用两个参数，即MySQLi连接和字符串，并将正确转义用户的输入以阻止sql注入攻击。您使用的确切功能取决于您使用的数据库类型和php库，请查阅php库的文档以获取有关转义用户输入的更多信息。