An Empirical Study of PHP Security Mechanism Usage:

1 type of security mechanisms(The data type):

:

$var = (int)&var; //safe
$var = intval($var); //safe
settype($var,'int'); //safe

$var = $var + 1; //safe
$var = $var++ ; //'aaa'++ == 'aab' //unsafe

$var = sprintf("%s %d",$var1,$var2); //unsafe /safe

$var = base64_encode($var) //safe
$var = urlencode($var) //unsafe
//编码decode 都有危险;

2 the self-filtering:
$var = filter_var($var ,FILTER_VALIDATE_INT); //safe
$var = filter_var($var ,FILTER_VALIDATE_EMAIL) // unsafe
$var = array_filter($vars,'is_numeric'); //safe
$var = array_filter($vars,'is_file'); //unsafe
//email ,file allow special charaters 1' or '1' -@abc.com can be a valid email and file name;(sql injection)

3 Converting: php&html
htmlentities 后html ,php
echo '< a href="'.$var.'">link</a>' javascript: bypass 0.0! =
,xss

4. php

5 null validation :

if(empty($var)){} else{}; //A static code analysis tool should be able to calculate the boolean logic behind a not operator and multiple else or elseif branches

6 type validation:
if((int)$var){} //unsafe a string that starts with a number will bypass the validation;

7 format validation:
if($vars= parse_url()){ } //unsafe
是GG

8 comparing:
the equal operator not sure ,the identical operator or built-in functions to ensure;
if($var == 1){} //unsafe
if($var === 1){} //safe

9 white list():
if(in_array($var,array(1,2,3))){}; //unsafe strict scheme must be open.

10, build-in functions return value:
make sure to its return value;
if(!strpos($var,'<')){}; strpos()returns the offset at which the character was found in the string . if the string starts with a < character,offset o is returned that evaluates to false in the if condition ;

11 length validation
the sql '-' == 'or'1'='1
  看看日子,不得不承认我已经离开快三个月了,在这三个月里面我对网络不闻不问,又体会一把什么都不用想的日子,在日子里快来的度过每一天,因为我体会了那段最孤独的日子。
我在逃避,我很讨厌那段日子,所有我久久不愿再去接触它,我不敢,也不愿,这段日子回家了,以前想着,回家了就好了,可是,一阵一阵的心底的声音在说,什么是梦想,最近这段日子,什么南海保卫战又开始了,想起了初中,想起了那个晚上,一台破旧的台式面前坐着一个男孩,周围都是人,可他们都在做自己的事,屋子里弥漫着烟,可男孩的眼睛却冒着神色,我想起了kk,想起了沙漠之鹰,想起了木jj小组,想起了暗组,那个无眠夜晚,一场没有的硝烟的战争在继续,那段日子是越南,这段日子是菲律宾。战争还在继续,只是我现在没能力帮你们了。
想想了他们,想想了自己,想起了陈奕迅的歌,路一直都在,关于理想我从来都没选择放弃,关于放弃,我想这是最后一次,体会过,经历过,我就会回来,不好意思,M4ple 正式回归,去你妈的菲律宾,去你妈的美国,去你妈的日本,战争正在继续.........