An Empirical Study of PHP Security Mechanism Usage:

1 type of security mechanisms(The data type):


$var = (int)&var; //safe
$var = intval($var); //safe
settype($var,'int'); //safe

$var = $var + 1; //safe
$var = $var++ ; //'aaa'++ == 'aab' //unsafe

$var = sprintf("%s %d",$var1,$var2); //unsafe /safe

$var = base64_encode($var) //safe
$var = urlencode($var) //unsafe
//编码decode 都有危险;

2 the self-filtering:
$var = filter_var($var ,FILTER_VALIDATE_INT); //safe
$var = filter_var($var ,FILTER_VALIDATE_EMAIL) // unsafe
$var = array_filter($vars,'is_numeric'); //safe
$var = array_filter($vars,'is_file'); //unsafe
//email ,file allow special charaters 1' or '1' can be a valid email and file name;(sql injection)

3 Converting: php&html
htmlentities 后html ,php
echo '< a href="'.$var.'">link</a>' javascript: bypass 0.0! =

4. php

5 null validation :

if(empty($var)){} else{}; //A static code analysis tool should be able to calculate the boolean logic behind a not operator and multiple else or elseif branches

6 type validation:
if((int)$var){} //unsafe a string that starts with a number will bypass the validation;

7 format validation:
if($vars= parse_url()){ } //unsafe

8 comparing:
the equal operator not sure ,the identical operator or built-in functions to ensure;
if($var == 1){} //unsafe
if($var === 1){} //safe

9 white list():
if(in_array($var,array(1,2,3))){}; //unsafe strict scheme must be open.

10, build-in functions return value:
make sure to its return value;
if(!strpos($var,'<')){}; strpos()returns the offset at which the character was found in the string . if the string starts with a < character,offset o is returned that evaluates to false in the if condition ;

11 length validation
the sql '-' == 'or'1'='1