English
English
When using PHP's low-level network programming interface, the socket_accept() function is an important step in handling inbound connections. It is usually used in conjunction with functions such as socket_create() , socket_bind() and socket_listen() to build a server-side socket. Although this process is very basic, it is also full of safety risks. Especially after accepting client connections, if handled improperly, it is very easy to suffer from illegal data injection attacks.
This article will introduce several effective ways to prevent illegal data injection when using socket_accept() .
When reading data sent by the client using socket_read() , be sure to set the maximum read length to prevent buffer overflow or excessive data packets:
$buffer = socket_read($clientSocket, 2048, PHP_NORMAL_READ);
The maximum read length is set to 2048 bytes. If the client tries to send data that exceeds this length, it will be automatically truncated, reducing the risk of data injection.
After reading the data, format checksum illegal character filtering should be performed immediately. It is recommended to use regular expressions or PHP built-in filtering functions to process data. For example:
$input = trim($buffer);
if (!preg_match('/^[a-zA-Z0-9\s]+$/', $input)) {
socket_write($clientSocket, "Illegal input!\n");
socket_close($clientSocket);
exit;
}
This method can effectively prevent data with control characters, special symbols, or malicious commands from being further processed.
If the server and the client communicate through a custom protocol, be sure to design a clear message format and boundary. To give a simple example, it can be specified that the client must send a packet that starts with a certain keyword:
if (strpos($input, 'CMD:') !== 0) {
socket_write($clientSocket, "Protocol format error!\n");
socket_close($clientSocket);
exit;
}
In this way, most invalid or malicious requests can be blocked at the protocol level.
To prevent clients from keeping connections for a long time and continuously sending malicious data, it is recommended to set a reasonable timeout for each socket:
socket_set_option($clientSocket, SOL_SOCKET, SO_RCVTIMEO, ["sec"=>5, "usec"=>0]);
If the client does not send any data within 5 seconds, the server will automatically disconnect. This approach can effectively mitigate potential denial of service (DoS) attacks.
For client IPs that send illegal data multiple times, blocking or temporary blocking should be considered. At the same time, recording each illegal data attempt is also crucial for later attack tracing and policy adjustments:
file_put_contents('logs/illegal_access.log', $_SERVER['REMOTE_ADDR'] . " - $input\n", FILE_APPEND);
You can combine firewall rules to automatically block the source IP of malicious requests.
The following is a basic Socket server implementation that integrates the above protection measures:
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_bind($socket, '0.0.0.0', 12345);
socket_listen($socket);
while (true) {
$clientSocket = socket_accept($socket);
if ($clientSocket === false) {
continue;
}
socket_set_option($clientSocket, SOL_SOCKET, SO_RCVTIMEO, ["sec"=>5, "usec"=>0]);
$buffer = socket_read($clientSocket, 2048, PHP_NORMAL_READ);
$input = trim($buffer);
if (!preg_match('/^[a-zA-Z0-9\s]+$/', $input)) {
socket_write($clientSocket, "Illegal input!\n");
file_put_contents('/var/log/socket_illegal.log', "Illegal access attempt: $input\n", FILE_APPEND);
socket_close($clientSocket);
continue;
}
// Sample processing logic
socket_write($clientSocket, "Welcome to visit m66.net Socket Serve!\n");
socket_close($clientSocket);
}
Although using Socket programming directly in PHP is powerful, it also requires developers to have a full understanding of data communication security. By limiting the reading length, verifying the input data, defining communication protocols, setting timeouts and recording logs, the risk of illegal data injection when using socket_accept() can be significantly reduced.
Always remember: every byte of data that interacts with the client can be a potential attack vector, and defense starts with the first line of code.
