Đề tài giới thiệu về hệ thống thương mại điện tử, tổng quan về các PHP Framework,... tổng quan về design parttern và mô hình MVC, cấu trúc của Framework, đặc tả và xây dựng các chức năng của hệ thống thương mại điện tử, xây dựng website sử dụng Framework, kĩ thuật nâng cao hiệu năng và bảo mật cho ứng dụng website. Mời các bạn cùng tham khảo.
BQ GIAO DVC DAO T30 TRITONG BSI HQC THANG LONG —o0o THANG LONG UNIVERSITY KHOA LUAN TOT NGHIEP yaky DUNG FRAMEWORK THLIONG MAI DIEN TIT MAO VIEN HUONG DAN: Ths Trim Tan Tan SIKH VIEN THVC Nguyen Bat) Trung - A15042 Nguyen Chi Cueing - A15897 CHUYEN NGANH: Ging Nghe Thong Tin HA NQI - 2013 IA CAM ON D4 hoin thinh luan van chtIng t8i xin chin third' gni itri cam an den i quy thiy c8 khoa Toin Tin trubng D3i hqc Thiing Long a quan tam gittp der chi bio tan tinh qui trinh thvc hien de tai Nher d6 chi ng toi da tiep thu dtrqc nhieu y kien d6ng g6p vi nhan xet qui biu dm qui thiy c8 thong qua cic bu6i bio ye cuang a Ching ten xin girl 16i cam on sau sic nhAt den ThS Tri'n Tuan Toin da trvc tiep hueng can, dinh hueng chuyen mon, quan tim gitip der *In firth vi tao mqi diau kien thuan lqi !that qui trinh Ong tic cling nhu Ow hien luan van Tren het chin toi xin big to long kinh vi sv biet an siu sic den gia dinh da tqo mqi dieu icien tot nhit 44 chting toi ce the hoin thimh tot mqi ding viep qui trinh thvc hien luan van Ben card' d6, ching toi cling xin girl lai cim an cua minh Uri ban be, luon quan tim, chia se, dOng vien toi suik thai gian thvc hien luan van Mac 46 da rit ct ging tong qui trinh thtrc hien nhung luan van idgeg the Minh nhfing thieu set Ching toi mong 'than dtrqc sv g6p y cis quy diAy co vi ban be MVC LVC PHAN MY! THIEU 1.1 Giei thien ht thong thung mgi Min tn (E-Commerce) 1.2 Tong (plan vi dAc PHP Framework 1.3 Framework thieving mgi dien tdr c6 nheng 0? 1.4 Framework cAa chung to s81Am dirge nhttng gi? 1.5 Lqi fch ter viec xily dgng Framework thsrang m0 dimn tv PHAN TONG QUAN Vt DESIGN PARTTERN VA MO 2.1 that ki (Design Patterns) MVC 2.1.1 floc diem chung 2.1.2 Phan log! Pattern 2.1.3 Ccic miu that ki dirqc sti dung Framework 2.2 M8 hinh Singleton ve Registry 10 11 2.2.1 Singleton 11 222 Registry 16 2.2.3 M6 hinh kit hop Singleton & Registry 18 2.3 MO H1NH MVC 20 2.3.1 Lich sir 20 2.12 Kan trtic mo hinh MVC 20 2.3.3 Dec cam mia mo hinh MVC 21 PHAN CAU TRUC CiJA FRAMEWORK 24 3.1 Ciin truc thu myc Framework 24 3.2 Deng clay de lien Framework 26 3.3 1URL 27 3.4 Model 28 3.5 View 29 3.6 Controller 31 3.7 Cic Library 34 17.1 Thu vien Cart 34 3.7.2 Thu vien Clean 35 3.7.3 Thu vien Currency 35 3.7.4 Thu Wen Form_ validation 36 3.7.5 Thus vin Session 37 3.7.6 Thus Wen User control 37 3.8 Cie Helper 38 3.8.1 UY8 helper 38 18.2 Text helper 39 3.8.3 Url helper 39 PHAN DAC TA VA XIV DIPIG CAC THUONG MAI DEW TIT cllirc NANG CiJA Ilt THONG 41 4.1 Phis tfch that hi 41 4.2 Dec ti °lc cher sang cfis hg thang 42 UC #0001 42 QUATN Lk NHOM NGI167 DUNG, NGIVI DUNG UC #0002 QUyiN 42 .47 NHA SAN XUAT UC #0003 QUIN LI DANN MCIC SAN PH& 50 UC #0004 53 QUAN Li sky PlaM 53 UC #0005 QUAN 57 NHOM KIIACH HANG 57 UC #0006 QUIN 60 ICHACH HANG 60 UC #0007 QUAN 47 50 63 DO7V HANG UC #0008 QUAN Lk COUPON UC #0009 GUY MAIL UC #0010 QUAN Lir LOY TIN Tilt UC #0011 QUAN Lk TIN TUC 63 67 67 71 71 73 73 76 76 UC #0012 -.79 BAO CAO, THONG KR UC #0013 QUAN Li' TIEN n UC #0014 79 83 83 86 MUA HANG 86 4.3 Tir dien de lieu 93 4.4 My dung cic chat thing cis Framework 99 4.4.1 Qucino, nham nguai dung 100 4.4.2 Quinn ly nguai dung 101 4.4.3 Qucinl" nha san flat 102 4.4.4 Qucinlji danh myc san phim 103 4.4.5 Quern !juin pham 104 4.4.6 Quern ly nhom khach hang 106 4.4.7 Quoin ly khcich hang 107 4.4.8 Quern orr coupon 109 4.4.9 Quern 135 clan hang 110 4.4.10 Quern ly loai tin hit 113 4.4.11 Quern 135 tin tar 114 4.4.12 Bao cao 115 4.4.13 Quern ly ccic phrtang thar to:in 117 te 118 4.4.15 Backup/Restore 119 4.4.14 Quern Ifr tie'n PHAN XAY DUNG WEBSITE SIT DUNG FRAMEWORK 121 5.1 GM Mtn bei tome 121 5.1.1 MO to bai loan 121 5.1.2 Mac tieu cbc chic ruing can qua III 122 5.1.3 Phan tick thilt ki he thong 123 5.2 Clu blab co bin 124 5.3 My dvng cfc chit ning 126 5.3.1 Quern ly tcic gici 126 5.3.2 Thong ke truy cap 130 PHAN KI THUAT NANG CAO HIP NANG VA BAO MAT CHO INC DUNG WEBSITE 132 6.1 M(it so ky thnot sir dyng Framework 132 6.1.1 Method Chaining 132 6.1.2 Active Record 133 6:1.3 AJAX 135 6.1.4 Javascript 140 6.1.5 Payment 141 6.2 Rio mjit cho ding dyng website 143 6.2.1 HTML injection va Cross site scripting 143 6.2.2 SQL Injection 145 6.2.3 Cross — site Request Forgery 148 DANH MVC HiNH ANH Hinh 2.1 Diem dank theo each thong thtrong 13 Hinh 2.2 Diem danh theo m8 hinh Singleton 15 Hinh 2.3 Mo hinh MVC don gian 20 Fah 2.4 Throng truyen tree mo hinh MVC 21 Hinh 2.5 Sr khac gala MVC vi — layers 21 Hinh 2.6 Qua trinh truyen m6 hinh — layers 22 HIM 2.7 Qua trinh truyen MVC 22 Hinh 4.1 So d0 Usecase Framework 41 Hinh 5.1 Sa dO UseCase he thting 123 Hinh 5.2 Quy trinh mua hang 124 Hinh 5.3 Cai dot — Glen thieu 125 Hinh 5.4 Cai dat — Ciu hinh 125 Hinh 5.5 cai dot - Ket thus 125 Hinh 6.1 ling dung web truyen thong Ora° va frng dung AJAX 136 Hinh 6.2 Tucmg tac diing b0 CEng clung web truyen thiing vi di b0 vng dung AJAX 137 Hinh 6.3 AJAX — Form thing kj, 138 Hinh 6.4 AJAX — Hien thi loi 139 DANH MVC WET TAT ICI hien viet tit Ten day da TMDT Throng mrti din ter MVC Model — View — Control PL Presentation Layer BL Bussiness Layer DL Data Access Layer URL Uniform Resource Locator URI Uniform Resource Identifier XSS Cross-Site Scripting CSRF Cross — site Request Forgery CMS Content management system QL Quart lj NV NMI vien PHAN G161 THIEU 1.1 Gioi (Mtn re he &Ong Hwang mai dien tir (E-Commerce) Trong vii nam ter lai day, dac biet la Viet Nam, cum ter Thuong Mai Dien Ter (TMDT) (con gel la E-Commerce hay E-Business) xuat hien met phi) bien Pham vi cua TMDT rat rOng, bao quit hau nhu mei hinh thai hog deng kinh t4, khong chi bao gam buon ban hang hea va dich vu, vi the kho c6 the um met CUM nghia co ranh gieri re ret cho khai niem TMDT Xet met cach dog quit, cac dinh nghia TMDT duce chia hai nhem tity thuec vao quan diem: - Theo nghia hcp, TMDT chi don than b6 hcp thuang mai dien ter viec mua ban hang hem va dich vu thong qua cac phuong tien dien ter, nhet la qua Internet va cac mang lien thong khac; Theo nghia Ong, TMDT la cac giao dich tai chinh va thtrcmg mai bing phuong tien dien ter nhu: trao din de lieu dien ter, chuyen tien dien t6 va cac hoat &Ong nhu girl/nit tien bang the tin dung TMDT co the duce phin loci theo tinh each ciut ngueri tham gia: Ngueri tieu dung: + C2C (Consumer-To-Comsumer) Ngueri tieu dimg veri ngtred tieu dimg; + C2B (Consumer-To-Business) Nguai tieu dung vai doanh nghiep; + C2G (Consumer-To-Government) Ngtrei tieu clang v6i chinh Doanh nghiep: + + + + B2C (Business-To-Consumer) Doanh nghiep veri ngtreri tieu dimg; B2B (Business-To-Business) Doanh nghiep veri doanh nghiep; B2G (Business-To-Government) Doanh nghiep veri chinh phi; B2E (Business-To-Employee) Doanh nghiep veri nhan vien Chinh phi: + G2C (Government-To-Consumer) Chinh phit veri ngueri tieu &mg; + G2B (Government-To-Business) Chinh phu veri doanh nghiep; + G2G (Government-To-Government) Chinh ph6 ven chinh Ngtreri to khai thac sire mash cua TMDT vi met se bar nhu: - TMDT gulp cho cac doanh nghiep nitm dirge thong tin phong phu ve thi throng va deli tic; - TMDT giip gam chi phi sin xuit; - TMDT giup giam chi phi ban hang vi tiep thi; - TMDT thong qua Internet gitip ngueri tieu thing va cac doanh nghiep giam ding Ice theri gian va chi phi giao dich; Trang - TMDT tao dieu kien cho viec thiet lap vi ding et mei quan he giaa cic phan tham gia vao qua trinh thuong mai; - TMDT tao dieu kien sem tiep can nen kinh s6 hod Voi nhang loi ich nhu vay, TMDT ngily cling phat trien math me, bieu hien qua viec nhftng hang kinh doanh Ulm tuyen xuit hien ugly met nhieu tren Internet Cie cling dok tieu bieu cua met giao dich tree cite trang kink doanh true tuyen nay: Khach hang, tir met may tinh tai met nth nao do, dieu nherng thong tin town vi dia chi lien he vao dun dat hang (Order Form) elm Website ban hang (con goi la Website TMDT) Doanh nghiep nhk dirge you eau mua hang hod hay dich vu cim khach hang vi phan hei xac Ethan tom tit lai nhang thong tin can thiet nhu mat hang da chqn, dia chi giao nhOn vi s6 phieu dat hang Khach hang kiem tra lai cac thong tin vi kich (click) vao not (button) "dat hang", tir ban phim hay chuOt (mouse) dm may tinh, giri thong tin tra vet cho doanh nghiep Doanh nghiep nhOn vi Itru ft& thong tin dat hang deng thtri chuyen tiep thong a tin toan (s6 the tin dung, ngily dio han, chit the ) da &Km ma hoa den may chit (Server, thiet bi xi: 19 du Ho) caa Trung tam cung cep dich vu xir 19 the tren mang Internet Voi qua trinh ma h6a cac thong tin Wan ciut khach hang duqc bao mat an Wan nhiim cheng gian lan Kong ale giao dich (ching han doanh nghiep se khong biet dugc thong tin ve the tin dung cita khkh hang) Kin Trung tam Xfr 19 the tin clung nhon duk thong tin town, se giii ma thong tin \di xir 1y giao dich ding sau bac tuerng lira (FireWall) vi tech roi mang Internet, intim rave dich bao mot 'et del cho cac giao dich thuang mai, dinh clang lai giao dich vi chuyen tiep thong tin thank tom den ngfin hang tea doanh nghiep (Acquirer) theo met dutmg day thue bao rieng (mOt dtrimg truyen s6 lieu rieng biet) Ngan hang edit doanh nghiep giri thong diep dien tir yeu eau tom (authorization request) den nein hang hoac cong ty cung cap the tin dung ctia khach hang (Issuer) Va to chat tai chinh se phin hei la long y hok tir chlai town den tam xir 19 the tin dung hen mang Internet Trung tam xir 19 the tin dung ten Internet se tiep tic chuyen tiep ithimg thong tin phan hei hen den doanh nghiep, vi thy theo doanh nghiep thong bao cho khach hang dirge re la dun dat hang se threw thgc hien hay khong Toan b6 thtri gian thirc hien met giao dich qua mang tir butrc I => dirge xir 19 Kong khoang 15 - 20 giay Trang them met 16p gift cho *rig dung de giam qua trinh "di lar dm thong tin va giant theri gian phan (mg Thay vi tai lai (refresh) toll ' be met trang, no chi nap nhttng thong tin ducc thay doi, gift nguyen cac phin Ichic Vi the, duyet met trang ho try AJAX, ngtari sir dung !thong bao gib nhin thAy met cfra so trang (blank) va bieu tircmg dling her cat - dAu hien cho thAy may cha dang awe hien nhiem vv Vi du, met website anh, vOi (mg dung truyen thong, toan be trang chira cac anh se phai mer lai to dAu neu co met thay doi nao 46 tren trang Con ap dung AJAX, DHTML chi thay the doan fieu de va phAn vua chinh sera, vA'y tao nen cac giao dich Iron tru, nhanh thong chest vit applicsidat model Nedirau•) twit ■ 0.4•1 11 *Wet Nu w* appiallon model (asyndwonots) "'a - - Hinh 6.2 Twang tcic tiling bQ zing Ming web truAn thong va di b6 zing dung AJAX c Nhuvc diem cull AJAX AJAX c6 the g6p phan tao nen met the 114 mOi cho (mg dung web (nhu colr.org hay backpackit.com ) Tuy nhien, no cling la met tong nghe "nguy hiem" gay khong it rat rei ve giao then ngtrai dung Ching hart, phim "Back" (trer lai trang truerc) dirge danh gia cao giao dien website chuAn Dang tiec, chime nAng khong hog Ong An khop vOi Javascript va mci ngueri khong the tim lai nei dung fru& d6 bam phim Back Beri vay, chi met so xuAt nhe la chi lieu tren hang da bi thay dei vi kh6 c6 the kh8i phut lai ducrc Day la met nhang nguyen nhan chinh khien nhieu ngtreri khong zing he img dung Javascript Ben canh 46, moi ngutri khong the km lai dia chi web vio thu mix Favorite (Bookmark) dE xem lai ve sau Do ap dung lerp trung gian de giao dich, cac img dung Trang 137 AJAX kh8ng ca met dia chi c6 dinh cho timg nOi dung Khiem khuyet lim cho AJAX de "mat diem" tong mitt ngutri dung d Vi dg Ta se di vao met vi du cu the a ca cai nhin chi tiet han ve AJAX Ta se xiy dung met met chirc nAng dang ky ngutri dimg g6m cac thong tin sau: ten dAng nhip; mat khiu; email yeti cac rang buk nhu sau: - Email phai dimg dinh dang - Mat khAu phai nhieu han Icy qr - Ten dAng nhip kh8ng dirk tang voi tir "admin" Sau submit form, neu khong thoa man cac dieu kien tren thi hien thi dm% cac input twang img ma se kh6ng phai load lai trang dAng ky Ta se sir dung jQueryAJAX de thut hien ding vik tren - Form dAng register.php BANG Kt Ten ding nbigx Email mit ithir Hinh 6.3 AJAX — Form dang kik - Ta nhop cac gia tri vao cac input twang (mg Sau nhip xong vi in Register, chimg ta se sir dung ky thuit AJAX de chuyen cac du lieu den file process.php de xir ly neu khong hqp le ta se hien thi 16i , Trang 138 BANG Kt Tett 41tog *OE admin _ Ten ding nhop dit taro tat ! Eras& abe Email sai cnh dang ! Mtn, • Nat Idalu phai nlaclu hon kt tv P1Mr=l1 Hinh 6.4 AJAX — Hien thi - Ta on clop code AJAX nhu sau: //Demo AJAX by Nguyen BAo Trung //Cac lOnh Javascript - Cach 2: sir dung tap tin javascript ben ngoai Cling gi6ng nhu CSS ngoai tuyen, chting ta cling co the nhimg Javascript vao tap tin HTML bang each lien ket den met tap tin ben ngoai, day cling la phucrng thuc duqc sir dung nhieu nhat Veri phucmg phap nay, cac lenh Javascrip se duqc viet mot file rieng biet c6 phan ma r'6ng la.js Vi du ta c6 tap tin my.js De nhang tap tin my.js vao to tin HTML ta sir clung doan ma sau: type="javascript" src="my.js" c VI dy Ta se sir dung Javascript de hien thj thong bao nhac nguai dimg c6 chic chin muen xod san phatn hay kh8ng $C.delete').click(functionuf if( ! confirm('Ban ca chAc chSn mulin xoA san phAm hay khong ?')) { return false; } Trang 140 6.1.5 Payment Trong TMDT, co hai hinh thfrc Man: Thanh toan ngoai tuyen (off-line payment) + Phien giao djch gifra ngu?ri sir (long va nha cung cap co the din ma khong can den so tham gia cim ngiin hang Nei each khlic, nha cung cap to kiem tra tinh hqp le cfm dOng tien ma khong can den so trq giup cita ben thir ba Thanh toan Uvc tuyen (online payment) + Trong moi lan giao djch, nhi cung cap se yeu ciu ngfin hang kiem tra tinh hqp le dm dOng tien ngtari dung chuyen truerc chap nhiln Vi viy, he thong toan trim tuyen c6 kha nang kiem tra dtrgc tinh tin ciy cua dOng tien + Thanh toan tree tuyen thich hqp veri nhang giao djch c6 gia tri lern Veri he thong nay, qui trinh town va girl tien vao ngan hang se tich biet mOi lan giao djch Do viy, chi phi ve then gian ding nhu lien bac se tim kern hon Trong Framework dm chimg ta da tich hqp sin off-line payment va online payment la Paypal Ta se di co the vio each tich hqp them cac online payment cling nhu tim hieu ve ca the cua cting toan Paypal moc ke tiep a Throng din tich hqp them cAng tofu vio Framework Khi c6 tay down ma tich hqp cOng toan theo each thong Hurting, ta se tien hanh viec lip trinh theo dung eau true Framework nhu sau Ta lay vi du cOng toan can tich hqp la Paypal + Root - Thu now gee + application + models a + frontend/pp_model - xir IS, Noi (validate) cac tham s6 cim cling toan + backend/payment/pp.php - de dien G iao config c6ng toan Paypal + views i Trang 141 + frontend/payment/pp.php - Giao dien de hien thi the der lieu cull khach hang ci-mg nhu don hang + system + libraries + Payment_pp.php - Thu vien chira efic ham de hien thi giao dien, config the option efra thing toan, kiem tra firth hop le dm cOng toan Trong viec tich hqp cOng toan vac, Framework dm chung to thi file quan tong nhat la systemilibrar ies/Payment_tenviettatcongthatoan.php - System/libraries/Payment_pp.php , s Render_payment -1 la , i i Phuong thfrc se hien thi da lieu cfut ngtreri nh#n, ngueri toll], de lieu hang hoa sau 46 se day clic du lieu View tong file: frontend/payment/pp.php Callback Phuang thirc se kiem tra tinh chinh Joie der lieu tra ye ctia Paypal a sau 46 xic nh#n xem don hang ce hqp 14 hay Icheing ? Confirm Sau xic nh#n don hang hqp 14 thi phuong tithe se that hien viec c$p nh#t trang thii boa don Edit Phuang thfrc se cip nhot the config ctia cOng Wan b Ca the cis Paypal Ta c6 cac buoy sau day de thoc hien viec toan bang citing toan Paypal Biz& 1: + Sau quy& dinh ehon mua san pharn/dich vu tai mot website c6 tich hop ding toan trot tuyEn PayPal va chap nhan toan bang tai khoan PayPal cua mirth, ban se duqc diEu huang vE trang (tang nhap PayPal + Nhap dia chi email va password sir dung cho tai khoan PayPal ctla ban; bAm Login de dang nhap vao tai khoan Trang 142 + Trong buck nay, he thOng se sinh met ma (secure code) vi km Ca dft lieu Buck 2: + Kiem tra gib ca (Price), so ltrong (Quantity), tong tien (Total) ciut giao dich bon can total sau dang nhip vito PayPal Neu mqi thong tin dell chinh xac, chqn Continue tiep tuc quit trinh tom hing a - Buck 3: + Sau An Continue, Paypal se dieu hut:mg bin ve thong qua tham so return url ma chung ta di config a file systemnibraries /Payment_pp php tren + HO thong se kiem tra de lieu tra ye thong qua ma secure code ten, neu chInh xac thi se tien himh cap nhat hob don len Pending (dang xfr 15r) Sau chit so hut cua tai khoin kiem tra don hang If0 thOng va tai khoin ctia minh Paypal, nett chinh xac thi se clap nhit Wong thai hob don thinh Complete (thanh cong) va ties hAnh chuyen hang cho khach hang 6.2 Rio mit cho ung dyng website Ngay nay, bao mat website IA melt van de thi quan dei von ck nhA phat tries web Tat ca ck (mg dung web deu c6 the ding 1)1 tit'I cong bang ck each khk chin ban nhu cross site scripting (gib ma° cbc you eau) XSS va cross site request forgery (tAn cong sir dung guy& chimg thuc cua ngtrtri quart hi website) CSRF Ngoli met each Mn cong elk biet nguy hiem khbc lb SQL injection Nhung cluing ta c6 the gibm thieu toi da ck cbch ten cong vi nang cao duqc tinh bao mat cho website coa chfing ta neu chimg ta hieu ve ne va tim each gibi quyet chung Sau day chimg ta se tim hieu ye met so cach thfrc tan cling va !chic phuc chimg a 6.2.1 HTML injection vb Cross site scripting Cross-Site Scripting (XSS) lit met nhang kg thu4t Mn cling ph6 bien nhat hien nay, dOng thai cling IA met nhing van de bao mat toi quan dOi veri cbc nhb phat tries web va ca nhang ngutri sir dung website BAt k5r met website nio cho phep ngutri sir dung dang th8ng tin ma khong c6 sit kitm tra chit the cic doan ma nguy hiem thi deu dr the tiem An cbc loi XSS Cross-Site Scripting hay duqc goi tit IA XSS (thay vi pi tat IA CSS de tranh nhAm Ian voi CSS — Cascading Style Sheet dm HTML) IA met kg thuo't tan cong bang each chen vio cbc website dOng (ASP, PEW, JSP ) nhang the HTML hay nhCmg doan ma script nguy hiem c6 the gay nguy hal cho nhUng ngutri sir dung khk Trong de, nhang doan ma nguy hiem duqc chen vim hau het duqc viet bang ck Client — Site Script nhu JavaScript, Jscript, DHTML va cling co the IA cac the HTML Kg thu'ot ten Trang 143 Ong XSS da nhanh cheng tra mOt nhung 16i ph6 bien nhit cua Web Applications va mid de doa cua chiing deli vat nguai sir dung ngiy cang Ian Ngubi chien thing cuOc thi eWeek OpenHack 2012 la ngutri da tim XSS mai Phiti chang mit nguy hiem to XSS can duqc m9i ngtrtri chit y hot ? 6.2.1.1 Hogt &Ong cua XSS Ve co ban XSS ding nhu SQL Injection hay Source Injection, n6 cling la cac yeu can request duqc giri tir cac may client toi server nhlm chen vao cac thong tin vtrqt qua lam kiem xoat dm server NO c6 the la mOt request duqc giri tir cac form da lieu hoc cling co the chi li cac URL nhu: ihttp://www.example.com/search.cgi?query= alert('XSS (found !'); was Vi eat co the trinh duyet cua ban se hien len mOt thong bdo "XSS was found !" Cac doan ma the script khong he bi giai han bai chang hoan town co the thay the bing mOt file ngutin tren mOt server khdc th8ng qua thuOc tinh src da the script Cling chinh vi le da ma chimg to chum the luting het duqc nguy hiem cfia cac loi XSS Nhung neu nhu cac thuot tan cong khac co the lam thay doi duqc da lieu nguan cua web server (ma ngtain, eau true, co s6 dli lieu) thi XSS chi gay Mn hai d6i vai website phia client ma nan than trqc tiep la nhCmg ngutri khach duyet site Tit nhien doi cac hacker ding sir dung ki thuat de deface cac website nhung d6 vin chi tin cong vao be mat cua website That Nifty, XSS 11 nhung Client-Side Script, nhang doan ma se chi chay b6i trinh duyet phia client d6 XSS khong lam anh huting den he th6ng website nim tat server Mpc tieu tan cong cua XSS khong !chic chinh la nh&ng ngtrai sir dung !chic cua website, ho vo tinh vao cac trang co china cac doan ma nguy hiem cac hacker de lai h9 c6 the bi chuyen tai cac website khk, cldt lai homepage, hay nang hon la mat mat khau, mat cookie tham chi may tinh ban co the se bi di dc loai virus, backdoor, worm 6.2.1.2 Gifu phcip Nhu da de cap tren, mOt tin cong XSS chi thqc hien duqc gui mOt trang web cho trinh duyet web dm nan than c6 ken.' theo ma script dOc cua ke tan cong Vi vay nhCmg nguai phat trien web c6 the bao website cua minh kh6i bi Ica dung thong qua nhung tan cong XSS nay, dam bao nhang trang phit sinh dOng kh8ng china cac tag cua script bing each 19c va xac nhan hqp ly cac dli lieu dau vao tir phia ngueri dung hodc ma hea (endcoding) va 19c dc gid tri xuat cho ngueri dung Neu nhu ban dang sir dung PHP thi co the tan dung mOt so ham c6 sin cua PHP nhu htmlspecialchars, htmlenti ties de ma hod Ur d'Ong (enconding) hoc st rip_tags nen khong muon co HTML nOi dung Trang 144 6.2.2 SQL Injection 6.2.2.1 SQL Injection lit gi ? Khi trien khai cac img dung web tren Internet, nhieu nguari van nghi rang viec dam bao an town, bao mat nhitm giam thieu t6i da kha nang bi tar' t ding tir cac tin tic chi dun thuan tip trung vao cac van de nhu chip he dieu hanh, he quart tri cu so du lieu, img dung nao cho may chit Web, ma quen mat rang ca ban than img dung chay tren 46 cling tiem an mOt 16 hong bao mil rat Tern Mqt se) cac 16 hOng nay, d6 la SQL injection Trong than gian vita qua, kW:mg it website tai Viet Nam da bi tan ding vi da s6 deu la 18i SQL injection Valy SQL injection la gi ? SQL injection la kyr thuat cho phep nhemg ke tan ding lqi dung 16 Wing viec kiem tra du lieu nhap cac Ung dung web va cac thong bao 16i dm he quart tri cu sir du lieu de tiem vao va thi hanh cac au lenh SQL bit hop phip (khong duqc nguai phat trien img dung !Ong three) Hau qua coa no rat tai hai vi no cho phep nhcmg Ice tan cling co the thoc hien thao tic xoa, hieu chinh, co town quyen tren cc sir dir lieu cern img dung, thann chi server ma img dung 46 dang chay L6i thutmg xay tren cac img dung web co du lieu duerc quan 19 bang cac he quan tri cu so du lieu nhu SQL Server, MySQL, Oracle, DB2, Sysbase 6.2.2.2 Cgc dung tiro tong SQL Injection Co b6n clang thong darting bao g6m: vuqt qua kiem tra luc dang nhap, sir dung cau lenh SELECT, sir dung tau lenh INSERT, sir dung cac stored - procedures De biet cac website co bi tan c8ng SQL injection hay khong, ta sir dung cac soft hok the c8ng et; tim kiem 161 a Mpg tan cling kiem tra lie ding nh$p Veri dung tan cling nay, tin tic co the de' clang vuqt qua cac trang (Icing nhap niter vao 16i dung the eau lenh SQL thao tic tren cu sir du lieu cita img dung web Xet mOt vi du dien hinh, thong thuerng de cho phep ngueri dung truy cap vao cac trang web duqc bio mot, he tilting thuong xay dung trang dang nhap de yeu a'u ngtred dung nhap th8ng tin ve ten dang nh#p hok mat khan Sau ngueri dung nh#p thong tin vac', he thong se kiem tra ten (tang nhap va mat khau co hop le hay 'thong quyet Binh cho phep hay tir choi thut hien ti'ep Trong truing hop nay, nguoi ta ce the ding hai trang, mOt trang HTML de' hien thi form nhap lieu va mOt trang PHP (hthc ASP, JSP ) dimg de xir ly th8ng tin nhap tir phia ngtrai dung Neu ta viet code theo each thong thuemg trang xir 19 thong tin thi dtrerng nhu Trang 145 khong china bat k9 met 18 hOng bao mat nit) Ngueri dung kh8ng the clang nhap neu ten Clang nhap host mat khAu kh8ng hqp le Tuy nhien, QS the doan ma khong thuc str an toan va la tien de cho met lei SQL injection Dac biet, chi; so her (neu c6) nam o chE nhap lieu vio tir ngtrtri dung de xay dung true tiep nen cau truy Van SQL Chinh dieu cho phep nhtmg ke tan cong co the dieu khien cau truy vAn se &gm thuc hien Vi du, neu ngueri dung nhap chugi sau vao ca o nhap lieu username/password cua trang HTML la: OR " = " Lac cau truy vAn se duqc thud hien nhu sau: SELECT * FROM T USERS WHERE USR NAME - " OR "=" AND USR PASSWORD= " OR "=" Cau truy van la hqp le va se tri ye tit ca da lieu cita bang T_USERS va doan ma fiep theo x6 19 ngtr6i dung ding nhap bAt hqp phap nhu met ngurn dung hqp le b Dung tin cong sir dung cau II§nh SELECT Dung tan cong phi= tap hon De thuc hien duce kieu tan cong nay, ke tat' cong phai c6 kith nang hieu va lqi dung the so her the thong bao lei tin he thOng de d6 tim the diem yeu kheri dAu cho viec tacit cong Xdt met vi du rat thuong gap the website ve tin tiro Thong thu?mg, se c6 met trang nhan ID cila tin can hien thj roi sau d6 truy vAn not dung dm tin c6 ID Vi du, to co http://domain/news.php?id=123 h4d nguan cho chile nang thubrng dtrqc viet kha dun gian nhu sau: //Lay ma tin tirc bang phuong thirc $_GET (int)$news id = $ GET('id'); //Xai dung cau truy van SELECT v6i $news_id = 123 $strSQL = "SELECT * FROM T NEWS WHERE news id = $news id"; //Thuc hiOn truy van $query = mysqlquery($strSQL); //Tra ve )(At qua return mysql_fetch_array($query); Trong cac tinh huong thong thu&ng, doan ma hien thi nOi dung dm tin co ID thing veri ID da chi dinh va halt nhu khong thAy co 18i Tuy nhien, gi6ng nhu vi du clang nhap tnrac, doan ma de 10 so her cho met lei SQL injection khac Ke tin cong co the thay the met ID hqp 10 bang each gin ID cho met gia tri Ichic, va tir do, kheri dau cho mot cuec tan cong bat hqp phap, vi du nth": 0' OR = 1, tic la URL bay giar se tra thanh: http: //domain/news php?id=0' or = Cali truy Trang 146 van SQL kw se tra ve het tit ca cat tin tire tir bang T_NEWS vi no se thut hien cau truy yin: $strSQL = "SELECT * FROM TNEWS WHERE news id = '0' OR = 1'"; lit nhien vi du not ten, throng nhu khong co gi nguy hiem, nhung hay this., Wang Wang Ice tin cong co the xoa Wan be co set dif lieu bing cach then vao cat doan lenh nguy hiem nhu DROP TABLE Vi nhu: DROP TABLE T AUTHORS c Ding tin cong sir dyng Itinh INSERT Thong thuang the (mg dung web cho phop ngu?ri dung clang ki met tai khoan de tham gia Clare Ming khong the thieu la sau dang ki tong, ngtred dung co the xem vi hieu chinh thong tin cim mirth SQL injection cc!, the dirge dimg he thing khong kiem tra tinh hop le dm thong tin nhap vao Vi du, to co ?loan ma that hien viec INSERT dfr lieu vao nhu sau: $strSQL = INSERT INTO TABLE NAME VALUES ('Value One', 'Value Two', 'Value Three'); $query = mysql_query($strSQL); Neu that thi ma lenh ten thi chic chin ban di mac 16i SQL injection, bed vi nen Ice tan tong nhap vao truing this nhat: + ( SELECT TOP FieldName FROM TableName) + ' Lac truy yin so INSERT INTO TableName VALUES ( " + (SELECT TOP FieldName FROM TableName) + ", 'abc', 'def') !Chide, hit thtrc hien lenh INSERT Mtn thi xem nhu ban da you cAu that hien them met tau lenh nita la: SELECT TOP FieldName FROM TableName 6.2.2.3 Gicii phcip phong thong SQL Injection Diem yeu SQL Injection bit ngulin tir viec xis 15, &I lieu tir nguiri Ming khong tot, do viec xay dtmg ma nguen dim bao an ninh la cot 16i cim viec phOng chting SQL Injection MOt vii giai phap sau day co the giam thieu fel da tan cong SQL Injection a Mo hinh danh sach cho ph6p — Whitelist M8 hinh whitelist liet ke danh sach nhUng gia hi input nao duct cho phep, chinh vi the xay dung no din hal ngutri phat trien phai hieu re logic nghiep vu dm *rig (long ducm thy clang MOt se dic diem dm input ma mo hinh chi, y ton nhu kieu du lieu, Mb, mien da lieu (del veri input kieu s6) hoac met se dinh clang chuin khic Vi dy, yea clang met usemame thueng dung cho met database cong ty, thi met mitt hop le se la cat kY to gi&i han c6 15 kj, ttr, chi china chic cai va se Cac dieu kien thuOc nhi'eu vao logic nghiep vu va thoi thuo'n von ngutri sir dung Trang 147 Ban e6 the sir dung cac ham co sin cita NIP de thut hien viec kiEm tra der lieu tren nhu strlen, is_numeric hok sir dung the ham bieu thirc chinh quy (regular expression) b M8 hinh dank sick cam — Blacklist Mo hinh xay dung nen cac mau input duqc cho 11 nguy hiem vi se khong chAp nhan nhang matt Mo hinh kern hieu qua m8 hinh whitelist s6 lugng kha ding xay cua met input xilu rat lern va khet cop nhAt cac mau Tuy nhien uu diem dm phuang phip so yea phuang phip whitelist IA viec xay dung don gian hon Neu sir dung phuang phip thl ta can phai ma hod output de giam thieu nguy co rd ri thong tin ve nheng mau ma m8 hinh b6 set MOt dieu chit y hap &Si yeti viec sir dung me hinh blacklist vi whitelist, d6 la cac mau nen dirge xir IS, phia client (thong qua javascript, jquery ) Bai met phien lam viec phirc tap, dieu can tranh nhAt cho ngu&i dung IA tat ca mqi thong tin da xir IS1 bi huS,, phai lim lai tir dAu phat hien c6 dieu bit On input Tuy da xir 1S , 6client,hugdkoambcinputdeao,chingv pa thgc hien lam sach da lieu cac btrerc tiep theo 6.2.3 Cross — site Request Forgery Cross — site Request Forgery (CSRF) la met kg, thuat tan cong bang each sir dung guy& chimg thue coa ngutri quan tri website, hay neoi each khite la lgri dung quyEn cua ngtrtri quan trj website de thgc thi nhOng tic vu ma mirth mong mu6n (ngutri quart tri se khong he biet mirth hi lqi dung) frau qua dm no kh6 co the biet dugc la nang hay nhg Va ngtrtri thge hien tan cong phii la ngutri am hieu source code ctia img dung web muOn tan cong , c6 the la ngu&i lam n6 hay met CMS nao hoc source code bi le, bin vi neu main tan cong theo each thirc thi ngutri tan cong phai nam dirge duemg link trang quan 6.2.3.1 Cach that tan cling Ta see di vao cu the melt vi du de hieu re hap ve each thirc tan cong CSRF Gia sir, trang quan trj cua chting ta ea chic nang xoa san pham vii dutmg link nhu saw http: / /domain/ungdung/admin/delete/1 Ta hieu dual% link nhtr sau: !Man duqc request xoa san pham vii ma san pham II sau xac thut quyen va thgc hien xoa neu xac thgc quyan dirge thong qua Ket qua am doing link la san pham vii ma sin pham la se bi xoa khed khoi Ca so di: lieu Vay neu, tin tat biEt dtrgc dutrng link va Chung se gin tii email dm ngtrtri quan tri met bite thu nac danh co nei dung nhu sau: Trang 148