 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 Receptions of network defense on PHP It is possible to argue for a long time why some people so to like gadit` and to break fruits of works of other people, but anyhow it is the fact, actual and for the virtual world. At a dawn of origin of domestic PCs i.e. when all interested persons have started to receive access to them, this plague began. The first virus has been written, the website for the first time is cracked... Now such already you will surprise nobody. Many have already got used, from time to time to see inscription such as " Here was I super-puper a hacker " and other displays of computer vandalism. The majority of such attacks occur as a result of use of "holes" in server scripts. About covering these openings for hackers also it will be told in given clause{article}. So, as it has been said, the hacker can get access to a site through server scripts (certainly, there is a set of other opportunities, for example, to steal the password - trojanom, a sniffer or even it is impudent, from a computer of the user, but it is already separate subject). Why server? Yes because with client - that are executed by the machine of the visitor of a site, he will do{make} nothing. They have no any access rights to the server unless can receive from him the information and only, but not in koem a case, client scripts cannot independently change something on the server. The most widespread server technology for today is PHP. I think, time you read given clause{article}, it is not necessary to stop again on that, what is it such, especially on this subject already there were many good clauses{articles}. Well, we shall break. First of all, I want to say, that the examples submitted here do not guarantee on 100 % of that nobody will crack you, such it is simply impossible. Always, even in the most widespread and perfect systems there are bottlenecks, an example to that sensation of semi-annual prescription, when on sites worldwide in searches on vseobhhe recognized language SQL (Structured Query Language - the structured language of searches) the roughest mistake which has received name SQL Injection has been found. But thus you will see the most often fatal mistakes in protection and can protect up to the mark yourself from attack not only the fan{amateur}, but also a professional hacker. For the beginning you need to remember only one - never to believe the data received from the visitor - in fact they can represent a nocuous script which to stati, can be both server, and client (will work by machines of visitors). And it quite will suffice, certainly, if in scripts nedopuhheny critical mistakes and the server, but about all under the order is normally adjusted. The first example that comes to mind - you have decided to write the guest book. Means to you the field is necessary for input of a name, an e-mail address and actually messages. PHP the script accepts the data from the form and saves them in a special file for the subsequent display at reading the guest book. Like there is nothing dangerous, but the hacker so does not consider, at absence of corresponding security measures, he can use the given form in the purposes. Well, we shall not give him chance. It would be for the beginning quite good to limit length of a name and e-mail address. It not only one of numerous methods of partial protection, but also protection from jokers who think that a name in length in some sot symbols very funny. So give in a field for input we shall write, say, maxlength=25, for example: ... <input type=text name=user_email maxlength=25> ... In such a way nobody can enter into the given field more than 25 symbols. However it will stop only virtual vandals - newbies in fact in an address bar without ceremony it is possible to write something of type: ... guest.php? user_email=ha_ha_ha_slabaja_zashita_ha_ha_ha_tyt_bil_super_haker... That, we shall put the second impact, having written right at the beginning PHP a script about such: <? php $user_email = $ _ POST [' user_email ']; ... I.e. value of a variable $user_email we take directly from fields of corresponding values POST of a file. And so for each variable. To stati, in that case it is necessary to correct and the form for sending messages, obviously having specified a method of data transfer - method = "post", for example: ... <form action = "guest.php" method = "post"> ... Whether can now though something to make a hacker? Can, can and nesomnivajtes`. I shall remind, that at data transfer on the server at use of method POST, as against a method by default - GET, the data are passed not through an address bar in a browser, and together with packages of the data, i.e. and POST it is possible to forge on everything - starting{beginning} from standard programs from delivery Windows and finishing{stopping} same Delfi - to send search of a kind: ... POST/guest.php HTTP/1.0 user_email=vetaki_ja_tebla_vzlomal... ... Certainly, there are still nuances with lines and spec symbols, but it is at all simple, though and for this purpose it is necessary to be already at a corresponding level that does not suffice the majority of the persons, hackers considering{counting}. So to do{make}? To panic! No, certainly, I joke. If the hacker will try so impudently to pass the data, we can stop it as follows: <? php $referer=getenv ("HTTP_REFERER"); if (! ereg (" ^http: // my.domain.com ")) { echo " Hack off "; exit; } ... As you can see, we check, whether the search from one of our pages open in a browser (our domain - http://my.domain.com) is sent if all is correct - we carry out that is necessary, well and if no we deduce{remove} a congratulation to a hacker: " Hack off " also we finish job of a script: exit;. Well, already, exult? And zrja. I shall remind that variable HTTP_REFERER is formed by a browser of the visitor, i.e. on the party of the client (to read - a hacker), and from all it it turns out, as we cannot be sure in its{her} authenticity. To forge her as it is simple, as well as POST search. Have already got tired and do not believe in the forces against these allmighty hackers? Does not cost. The enemy though does not give out itself, but is already finally tired, the given stage will be reached at the best with 5-10 % of all trying. So, we shall not be developed{unwrapped} at the finish, we shall strike a crushing blow. Always all correctly speak, that on the part of hackers any system has vulnerability. But I still never for some reason did not hear that spoke about the opposite - in fact any system has places where the hacker is already helpless. It is high time to apply special arms of administrators. Namely a hopelessness of performance PHP of the script: as though the hacker did not exercise the wit, if costs{stands} exit; - means exit and a point. So, we admit{allow} to us such rare hacker that has broken through all our previous line of defense has got and can easy send the server variables of any necessary length, whence wants. Well and let, and we shall add right after checks HTTP_REFERER and assignments of value from a file (for example, with POST) rigid urezku lines: ... $user_email=substr ($user_email, 0,25); ... Now we have a variable $user_email in the length in 25 symbols (if its{her} initial was more, its{her} other symbols have been rejected) and not one hacker cannot change it. So, but 25 symbols still represent danger. Certainly, only in the event that it is nocuous instructions of a hacker, perhaps, it is necessary to write the loser as we are farther than them through a hyphen we shall filter and we shall remove / shall replace specsimvoly or at all we shall block. What symbols should be blocked? It depends on a field, for example, in a name it there can be everything, except for letters from the alphabet, a blank, figures, well and let a sign _ i.e. to us it is necessary to act{arrive}, for example, so: ... if (preg_match (" / [^ (\w) | (\x7F-\xFF) | (\s)] / ", $user_name)) { echo " In a name there are forbidden symbols... "; exit; } Now names in guest will be chisten`kimi and rovnen`kimi. For an e-mail address it is necessary to resolve a dog and a point, and blanks and Russian letters to forbid. For a body of the message also <it is necessary to change on *lt; a> on *gt; for example, so: ... $message=ereg_replace ("<", " *lt; ", $message); $message=ereg_replace (">", " *gt; ", $message); ... And hyphens of a line on teg carry <br>: ... $message=ereg_replace (" (\r\n |\n |\r) ", "<br>", $message); ... It is possible to use and special functions PHP - htmlspecialchars (), nl2br () and others, in general, I think, will understand, and that from a subject we leave (and if not will understand - myl`te). Also check on the empty message or a login name can be pertinent. She can be carried out as standard function empty () and simply having checked up, whether the variable " " for example is equal: ... if (empty ($message)) { echo " the Empty message to leave does not cost "; exit; } Or so: ... if ($message == " ") { echo " the Empty message to leave does not cost "; exit; } ... In general, business of taste. Also, it is possible to deduce{remove} not simply such messages such as " the Empty message to leave does not cost " or " Hack off " it is possible and to save in a file on the server / send to itself on mail IP the address of the hooligan, obviously to receive it it is possible so: ... $RIP = $ GLOBALS [' REMOTE_ADDR ']; ... In such a way there will be an opportunity and to calculate a loser - hacker or, say, to limit attempts, not giving in day more, for example 2 times to leave messages in the guest book. But I would not began so to do{make}. It is a lot of reasons - starting{beginning} from a proxy of servers (though it is possible to bypass them without problems and to learn{find out} real IP) and finishing{stopping} that, that dial-ap till now dominates on open spaces CIS. Besides it is quite enough set forth above measures of protection, and not only for the guest book. At last I want to pay your attention to fair users, and in fact them more than 99.99 % from total of visitors and because of any hackers they nedolzhny to suffer. About what I speak? For example, the person did not know, that we have forbidden some symbols in a name and has written to a field of a name something of type [NickName], and further very much - very much for a long time wrote words of gratitude or still that and as a result we have roughly stopped it , having said, that the name is not necessary, come back and do{make} all anew. How you think, he will return? Probably also will return, but already absolutely with in other words. What to do{make}? To write near every line for input what it is possible to enter and what no? Frivolously. It is possible, for example, instead of blocking such names, simply to delete the blocked symbols. But I do not think as it is the best way. It is the best way to warn beforehand the user about a mistake, still before he will send all on the server. How? With this problem with ease client scripts, for example technology JavaScript consult. It is necessary to check up only before sending the entered data, in case of detection of a mistake, to deduce{remove} the corresponding message and to ask the user to correct a mistake. Here is how it can be realized for check of a correctness of the address of mail: ... <script language = "JavaScript"> function checK (f) { if (f.email.value == ") {alert (" Specify the address of mail. "); f.email.focus (); return false} if (/^ \w + ([\.-]?\w +) * @\w + ([\.-]?\w +) * (\.\w {2,4}) + $/.test (f.email.value)) {return true} alert (' Incorrect pochty.\nPoprobujte address once again. '); f.email.select () return false } </script> <form name=f action = "guest.php" method = "post" onSubmit = " return checK (this) "> <input type = "text" name = "email" value = " enter yours e-mail " onfocus = " if (this.select) this.select () " onclick = " if (this.select) this.select () " size=28> <input type = "submit" name = "subscribe" value = "Ok"> </form> ... As you see, the ambassador a clique on button Ok, the data, before transfer to a script guest.php, are checked by function checK if the entered address is empty or contains the forbidden signs, the user will receive the message: " Specify the address of mail. " Or " Incorrect pochty.\nPoprobujte address once again. " Accordingly (\n - carry of a line) thus pay attention, that messages will be in a window: alert () and any perezagruzki pages even will not take place: return false, and the cursor will allocate erroneous input: f.email.focus (); or f.email.select () that the field for input not one is very user-friendly, especial if on page. You still here? And knew, have already run for computers to protect the creations and to finish juzabiliti. Well, I need to say only, that in the near future you can read in MK a certain continuation of given clause{article} in which I shall describe every possible kinds of authorization of users, tracking of a session both other most interesting and useful things. If there are questions - safely write. Up to fast meetings.
|
