PHP安全信息?

Let's say I have a website where

  • PHP 5.3 is installed
  • every output is htmlspecialchars()ed.
  • PDO and prepared statements are the only way to interact with the database
  • error_reporting() is off
  • every request is passed to index.php (front controller) and no direct file access is allowed except for index.php via .htaccess
  • every input is properly escaped (why should I? i use Prepared statements, how could an user input mess up with my code?)
  • there's no use of evil()

Is it considered safe? What other things could be fixed to improve security? How could you attack it? Hack it? PHP/Server side is possible to improve security?

Check this page : PHP Security Guide. Most attacks are documented. If after implementing these security checks, you're still hacked, there are high chances that the problem doesn't come from your PHP application.

By the way, as @Jacco stated, there is some wrong stuff on the article I linked to.

  1. Use prepared statements instead of mysql_real_escape_string(), but you already did that.
  2. About salting, follow this answer instead : https://stackoverflow.com/a/401684/851498
  3. Finally, checking ['type'] (for file upload) is unsafe since a malicious user can change this value. Instead, see the suggested solution of this link : http://www.acunetix.com/websitesecurity/upload-forms-threat.htm

security is a major concern for any product and it can not be achieved by some finger count policies but they are important so everywhere in the code think the negative possibilities and work against them to prevent them.

other thing you have to do

  1. store sensitive data in encrypted formate in db
  2. clean XSS every user input data

I remember when I started web developing, I read allot about sanitizing data, creating numerous mysql users with a subset of permissions for specific queries, etc.

It gets you in the mindset of treating security with code, not with the operating system.

What use is all of this if you connect to your console with telnet, or use ftp with authentication?

I guess I should cut to the point. I think modern open source technologies such as php mysql etc have build up allot of security features, which gave me a false sense of security.

The damage you can do through these technologies is negligible compared to hacking into console with a brute force attack. If I were you I would worry much more about geting a proper firewal and only allowing port 80 or the bare minimum of ports you need. If you enable console access I would only allow your desktop IP... etc.

and make sure if you ever send a password, that it is encrypted through ssl

There is no absolute security guarantee, you can add the following to the answers above:

  • If you allow file uploads, make sure you do mime checking;
  • Make sure the public cannot upload an unlimited amount of files to overload and eventually kill your server;
  • If you own the server make sure there are no other weak gates to your site, you can spend millions making your site bulletproof to any type of attack, but if someone gains access to it through another website hosted on the same server, you're out of luck;
  • Use a vulnerability scanner like acunetix, skipfish;
  • If you own the server make sure you stay up to date with the versions of the software running on your server (PHP/Apache/MySQL). Subscribe to get updates from the vendors;
  • If the budget allows it, you could offer a bounty to someone to find a security hole in a DEV release of your code;
  • Use a product like the following: https://www.cloudflare.com/features-security

It is important to note that "safe" is a context-based term. It highly depends on your needs, and there are companies out there (I'm looking at you Google) who will not even consider installing PHP at all.

If you are working at a big company, I would recommend hiring the services of professionals.I heard from a friend that this company does sec checkups for all the big companies, which seems likely since they are the people that distribute Kali Linux.

https://www.offensive-security.com/offensive-security-solutions/penetration-testing-services/

There can be multiple other issues as well, such as session problems, sensitive information enumeration, authorization and authentication issues, and lot more. Issues like business logic bypass can not be resolved by traditional secure coding guidelines. However, looking at PHP Security Cheat Sheet and OWASP PHP Security Project would be a great help to understand the big picture of security issues.

You can learn more about exploiting PHP security issues and related attack techniques by solving the PHP security challenges by RIPSTech (https://www.ripstech.com/php-security-calendar-2017/) or by reading their writeups of real-world vulnerabilities found in popular PHP apps (https://www.ripstech.com/security-vulnerability-database/)