In fact, from the perspective of programming, there is no problem with PHP, mainly whether it is safe to use PHP.
The operation of PHP is done by its language interpreter. It is php.exe under NT or Win9x, php.exe is an interpreter, its role is to explain the suffix is .PHP or .PHP3 or .phtml or Other files, according to programs defined inside to access databases, read and write files, or execute external commands. And organize the resulting results into string to return to Web Server and then send files as an HTML format to the browser.
I know how it works, we can explore its security issues. In the above file, we mentioned php.exe, mentioned reading files, and executing external commands, in fact, these are safe hidden dangers, in MS- DOS can read any file content using php.exe, because its own working mechanism is read the content, explained the interpretation, the filtering filter. So we can use its characteristics through Web read any We want to read the contents of the document, of course, this is not so simple, this requires the cooperation of web server, this is after, we will talk later.
The second feature of PHP is to read the contents of the file. There are many CGI vulnerabilities to be caused by this feature, very simple sequence: It is the content of the number of variables $ FILE Programmer may be innocent in program calls, I will study a file http://shabi.com/index.php3?file=a.txt It does not have strict restrictions on file variables, leading to security issues Generation, people I want a little more secure knowledge know that the A.TXT is modified to: / etc / passwd or NT under ../../../..../../winnt/repair/sam._
The third feature of PHP is to perform external commands, more common under UNIX: ls, echo, etc., in fact, this is the most prone to problem, everyone knows shell to perform commands, with pipes |: or ~ You can, here I will say that I will talk about it with me, this is about web mail, of course, I also related to web programming, generally, when we apply for a MAI to register, while registering, most There are restrictions, such as length, etc., but the limitations are not strict, the length is also large, and the Mail program may need to call the shell command to perform the user's addition, such as: add user, parameter is the username and password .add user Lovehacker 1234567 If my password is: A | Reboot how? 嘿嘿 If it does not encrypt the password, add the user who uses the permissions to use, haha will let it start from the new computer, of course if it wants to encrypt Also, such as using MD5 or DES, we can write the program to make the encrypted string as: rf -rm / * of course this is just an idea, I have not practiced: _) Work is too busy! Of course I have mentioned I can also see how serious it can also see how serious it is doing a shell command without being strict!
