- Cac ham dual day cho phep chi:mg ta thay the cau lenh SELECT.
b.M8 hinh dank sick ca m— Blacklist
Mo hinh nay xay dung nen cac mau input duqc cho 11 nguy hiem vi se khong chAp nhan nhang matt naỵ Mo hinh nay kern hieu qua hcm m8 hinh whitelist do s6 lugng kha ding xay ra cua met input xilu rat lern va khet cop nhAt cac mau naỵ
Tuy nhien uu diem dm phuang phip nay so yea phuang phip whitelist IA viec xay dung don gian hon. Neu sir dung phuang phip nay thl ta can phai ma hod output de giam thieu nguy co rd ri thong tin ve nheng mau ma m8 hinh nay b6 set.
MOt dieu chit y hap &Si yeti viec sir dung me hinh blacklist vi whitelist, d6 la cac mau nay nen dirge xir IS, 6 phia client (thong qua javascript, jquerỵ..). Bai trong met phien lam viec phirc tap, dieu can tranh nhAt cho ngu&i dung IA tat ca mqi thong tin da xir IS1 bi huS,, phai lim lai tir dAu do phat hien c6 dieu bit On trong input. Tuy da xir 1S, 6 client, nhung dieu d6 khong dam bao cac input de da an toan, chting ta van can phai thgc hien lam sach da lieu 6 cac btrerc tiep theọ
6.2.3. Cross — site Request Forgery
Cross — site Request Forgery (CSRF) la met kg, thuat tan cong bang each sir dung guy& chimg thue coa ngutri quan tri website, hay neoi each khite la lgri dung quyEn cua
ngtrtri quan trj website de thgc thi nhOng tic vu ma mirth mong mu6n (ngutri quart tri se khong he biet mirth hi lqi dung).
frau qua dm no kh6 co the biet dugc la nang hay nhg. Va ngtrtri thge hien tan cong nay phii la ngutri am hieu source code ctia img dung web muOn tan cong, c6 the la ngu&i lam ra n6 hay met CMS nao do hoc source code bi le, bin vi neu main tan cong theo each thirc nay thi ngutri tan cong phai nam dirge duemg link trong trang quan
6.2.3.1 Cach that tan cling
Ta see di vao cu the melt vi du de hieu re hap ve each thirc tan cong CSRF. Gia sir, trang quan trj cua chting ta ea chic nang xoa san pham vii dutmg link nhu saw
http: / /domain/ungdung/admin/delete/1. Ta hieu dual% link nay nhtr sau: !Man duqc request xoa san pham vii ma san pham II 1 sau do xac thut quyen va thgc hien xoa neu xac thgc quyan dirge thong quạ Ket qua am doing link nay la san pham vii ma sin pham la 1 se bi xoa khed khoi Ca so di: lieụ
Vay neu, tin tat biEt dtrgc dutrng link nay va Chung se gin tii email dm ngtrtri quan tri met bite thu nac danh co nei dung nhu sau:
<img src="http://domain/ungdung/admin/delete/1 " width="0" height="0" />
<img src="http://domain/ungdung/admin/delete/2 " width="0"
height="0"
<img src="http://domain/ungdung/admin/delete/3 " width="0"
height="0"
Chao ban. Chuc ban min ngay tot lanh !
Ngutri (wan tri thay email till se click vao de xem dux, va vOi nhfkng bac hinh kh6ng dugc hien thi nay, ngu&i quan tri se vo tinh ggi tgi ang dung va xoa (delete) nh&ng sin pham c6 ma san pham trong url.
Qua vi dp nay ta ding phan nao thay duqc mac dr) nguy hiem cua cich thi c tan ding CSRF.
62.3.2 Gicii phop
De phang trinh each thac tan cong clang CSRF nay ta thutmg c6 ba phucmg in sau:
- Dung POST thay cho GET.
- Mai khi thao tic trong trang (pan tri thi phai cung cap mat khaụ - Su dung *it token va kiem tra token neu hqp le thi mai xtir
Trong ba phuong An ke tren thi phutmg in thin ba se khien cho viec khai thac CSRF ter nen kho khan han, nhung dieu d6 khong thing nghia yeti viec chang ta co the phang chOng hoan town CSRF. Phuong an nay duqc thgc hien kha de dang nhu saw
//Khei tao met bien token
$token = md5(unigid(rand(), true));
//Thay vi clueing link xoa nhu tren, ta se thay the nhu sau:
url: http://domain/ungdung/admin/delete/1?token=$token
//Mk nay, khi xu lY viec xoa san phem ta se lam nhu sau:
If($token == $_GET[Itoken'])
//Thuc hien xoa }
Else
//Token khong hqp 10. }
KET LU4N
Khea lufm nay da trinh bay each de xay dung Framework thircmg mai dien ter. Khea luan da di sau tim hieu the van de:
- Tim hieu ve he th6ng thtrong mai dien ter, - Biet dirge tong quan ve cac PHP Framework,
- Ve cac mAu this& ke (Design Pattern) nlur MVC, Registry, Singleton. - Cach xay dung cac helper, librarỵ
- Sir dung Ajax trong Framwork
- Cfich bao mat chung cho met img dung WEBSITE Ket qui thu dirge sau khi thut hien khoa luan:
- Nang cao dirge cac icy rang viet tai lieu, (Lich tai lieu chuyen nganh.