PHP安全防范
<pre lang="php"><input type="hidden" name="H[name]" value="<?php echo $Oname?>"/><input type="hidden" name="H[age]" value="<?php echo $Oage?>"/><?php $sign = md5('name'.$Oname.'age'.$Oage.$secret); ?><input type="hidden" name="hash" value="<?php echo $sign?>"" />
?
POST回来之后对参数进行验证
?
$str = "";foreach($_POST['H'] as $key=>$value) $str .= $key.$value;if($_POST['hash'] != md5($str.$secret)) echo "Hidden form data modified"; exit;
?
?
PHP安全检测工具(XSS和SQL Insertion)
?
Wapiti - Web application security auditor(Wapiti - 小巧的站点漏洞检测工具) (SQL injection/XSS攻击检查工具)
安裝/使用方法:apt-get install libtidy-0.99-0 python-ctypes python-utidylib
python wapiti.py http://Your Website URL/ -m GET_XSS
Pixy: XSS and SQLI Scanner for PHP( Pixy - PHP 源码缺陷分析工具)
安裝: apt-get install default-jdk
Remote PHP Vulnerability Scanner(自动化 PHP页面缺陷分析, XSS检测功能较强)
PHPIDS - PHP 入侵检测系統
?
?
?
?
?
?
?
