In party company to do the code audit generally or in white-box based, vulnerability is nothing more than so few classes, XSS, asql injection, the command execution, upload vulnerability, local included, remote included, permissions, bypass, information disclosure, etc.
Which accounts for the large head of the natural is toXSSwithSQL injection, for a frame type or a common file, it is recommended that in the public file in the Unified to do onceXSSandSQL injectionfiltered. Write a filter function may be as follows:
$_REQUEST = filter_xss($_REQUEST);
$_GET = filter_xss($_GET);
$_POST = filter_xss($_POST);
$_COOKIE = filter_xss($_COOKIE);
$_POST = filter_sql($_POST);
$_GET = filter_sql($_GET);
$_COOKIE = filter_sql($_COOKIE);
$_REQUEST = filter_sql($_REQUEST);
Here there is little need for Description,$_REQUEST although is equal to$_GET+$_POST, but they are separate arrays, that is suppose to change the$_GET value, but the$_REQUEST value or the original value, so the filtration time can not fall, as for the other such as$_FILE and the like can be ignored.
The most simple of the filter_xss function is htmlspecialchars()
The most simple of the filter_sql function is mysql_real_escape_string()
Of course, everyone knows that this filter filter_sql only filter character type and search type of injection, for the digital type is not the way, but also instructions to do this layer after filtration, just behind the note a digital type of the SQL statement can be, met plus intval filter on it, it will become much easier.
2. Command execution
For the command execution can be from the keywords to start with, in total, can be divided into 3 categories
(1) php code execution: eval, etc.
(2)the shell command to execute: exec, passthru, system, and shell_exec, etc.
(3) the file handle: fwrite and fopen and mkdir, etc.
For these categories need to note that its parameters are user controllable.
For upload vulnerabilities, it is the focus of the place, to carefully analyze its process flow, for the upload of the bypass mode are many, the most insurance way: in the Save File is using the file name a random name, and suffix white-list way. Secondly, the point to note is the uploaded file the place may be more than one place, do not have missed, may encounter such a situation, suddenly in a directory which contains a third-party editor in it.