從 PHP(PHP: Hypertext Preprocessor)被發明至今已經 25 年了,現在還是人們廣為使用的程式語言之一,特別是在 Web 應用服務上。但因為它的易使用性,人們常常寫出不安全的腳本(Script),或是使用錯誤的配置,導致伺服器被注入惡意的 PHP 腳本,進而取得伺服器的控制權,或是盜取機敏資料。
此篇論文實作一套解決方案,名為 PDE(PHP Defense Extension),讓 PHP 在執行腳本前,能夠辨識出可能是惡意的腳本,並拒絕執行。;It has been 25 years since PHP (PHP: Hypertext Preprocessor) was invented, and it is still one of the widely used programming languages, especially in web applications. But because of its ease of use, people often write insecure scripts, or use the wrong configuration, resulting in a server being injected with malicious PHP scripts, and then gaining control of the server, or stealing confidential information.
This paper implements a solution called PDE (PHP Defense Extension), which allows PHP to identify a potentially malicious script before executing the script and refuses to execute it.
