* XSS
Cross-site scripting (XSS) is a type of web application security risk that enables attackers to inject client-side script into Web pages.
solution
content filtering: HTML entity encoding, JavaScript escaping, CSS escaping, and URL (or percent) encoding
validating untrusted HTML input
http://anti-hacker.blogspot.com/2008/01/xsscross-site-script.html
* SQL injection
it input SQL statements in a web form to attack security.
for example....
solution:
1. Parameterized statements
parameterized statements can be used that work with parameters instead of embedding user input in the statement.
2. Using object-relational mapping libraries avoids the need to write SQL code. The ORM library in effect will generate parameterized SQL statements from object-oriented code.
3. Escaping. escape characters that have a special meaning in SQL
* http header injection
* File path traversal* XPath injection
* HTTP PUT enabled
* Cleartext submission of password
* XML injection
* Open redirection
* Cookie scoped to parent domain
* Cookie without HttpOnly flag set
* Password field with autocomplete enabled
* Referer-dependent response
* Cross-domain POST
* Cross-domain Referer leakage
* Cross-domain script include
* TRACE method is enabled
* Email addresses disclosed
* Private IP addresses disclosed
* Robots.txt file
* ASP.NET debugging enabled
* ASP.NET ViewState without MAC enabled
* Flash cross-domain policy
* Silverlight cross-domain policy
XSS, SQL Injection, HTTP Header Injection, DORK Report for April 2, 2011
http://xss.cx/examples/dork/favicon.ico/4.2.2011.favicon.ico.dork.report.html
PHP security
http://www.php.net/manual/en/security.intro.php
http://bbs.phpchina.com/thread-180424-1-1.html
* 关闭注册全局变量
* set magic_quotes_gpc = on to protect sql injection
* set expose_php = Off to hide php version info in header
* 关闭危险函数 set disable_functions
* php_self var
http://www.chhua.com/web-note1413
http://www.php5.idv.tw/html.php?mod=article&do=show&shid=69
http://www.php5.idv.tw/modules.php?mod=books&act=show&shid=2475
php_self的安全性
http://www.5idev.com/p-php_server_php_self.shtml