| PHP,which is Hypertext Preprocessor,has become the most popular website development language on the global,and it isof simple syntax,cross-platform and fast speed in running.Now,a growing share of programmers tends to develop new websites by use of PHP.However,due to the ability limitation of web developers,most of them lacking of security awareness in website development process,and a variety of new attack methods and attack tools having been developed,the website information security problems based on PHP are becoming increasingly prominent and it is urgent to solve them.Therefore,it is very important for us to do research on these problems and summarize a set of effective methods that can be used to guide all programmers to develop safer and more reliable website applications making use of PHP.The paper mainly analyzes and researches on the security vulnerabilities of the websites having been developed by use of PHP technology.At the beginning,the paper introduces the ten major security risks of WEB applications that are listed by Open Web Application Security Project which is known as OWASP for short.Then,the paper put emphasis on analyzing application layer DDOS,SQL injection,Cross Site Scripting,namely,XSS and Cross Site Request Forgery which is called CSRF for short,as well as file including vulnerability,and give a more detailed analysis on the attack principle and process of these security holes.After that,the paper is willing to give some very effective measures for the attack to protect the newly developed website.For application layer DDOS,Apache security configuration,restricting request frequency and PHP Memcache are good measure to defense against the attack.For SQL injection,it can be resisted by making use of some measures,such as PHP security configuration,PHP Data Object,namely PDO,and database safety settings.When resisting Cross Site Scripting attack,it should be considered to use input filtering and output encoding,as well as setting httponly attribute for cookie,etc.,all these can be helpful to withstand XSS intrusion.For Cross Site Request Forgery vulnerabilities,it is effective to utilize checking the consistency of cookie,verifying the source of HTTP request(HTTP Referer),identifying code,and Anti-CSRF Token.All these measure can help protect the newly developed website based on PHP.For file including vulnerability,it customarily uses setting php.ini related options,avoiding to use dynamic variables that can be controlled by users in PHP programming.An important function of the government website is to serve public.Therefore,it is necessary for the government to provide powerful technical support for the safe,reliable and stable operation of its website,especially the security issues should be paid enough attention and deserve serious treatment.The paper is based upon the website portal of the traffic management department,and it systematically addresses how to develop a safer,robust and more reliable web applications based on PHP.According to the functional and performance requirements of the practical web application system,the author has designed exact security implementations of the key modules of the web system,aiming at application layer DDOS,SQL injection,Cross Site Scripting and Cross Site Request Forgery vulnerabilities from the view of user registration,authorized login and authority management.Later,the author uses vulnerability scanning tools to scan the key modules of the web system-the login and logon modules,and makes a thorough analysis on the whole system.The scan shows that using measures as mentioned above is effective to defense network attacks and can ensure the security of our website.So,we can apply these methods to the actual projects and make more in-depth research on them in the future. |
PDF Full Text Request