Key points of PHP Security Protection-PHP Tutorial

Key points of PHP security protection. The first thing that must be realized about Web application security is that external data should not be trusted. External data (outsidedata) includes not directly input by programmers in PHP code.

The first thing that must be realized about Web application security is that external data should not be trusted. External data includes any data that is not directly input by programmers in PHP code. Before taking measures to ensure security, any data from any other source (such as GET variables, form POST, database, configuration file, session variables, or cookies) is untrusted.

For example, the following data elements can be considered safe because they are set in PHP.

PHP Security Protection List 1. flawless code

 
 

  
  
< ?php 
  
  
$myUsername = ‘tmyer’; 
  
  
$arrayarrayUsers = array
(’tmyer’, ‘tom’, ‘tommy’); 
  
  
define(”GREETING”, ‘hello
 there’ . $myUsername); 
  
  
?> 
 
 

However, the following data elements are flawed.

PHP Security Protection List 2. insecure and defective code

 
 

  
  
< ?php 
  
  
$myUsername = $_POST[’username’]; 
//tainted! 
  
  
$arrayarrayUsers = array($my
Username, ‘tom’, ‘tommy’); 
//tainted! 
  
  
define(”GREETING”, ‘hello there’ 
. $myUsername); //tainted! 
  
  
?> 
 
 

Why is the first variable $ myUsername defective? Because it is directly from form POST. You can enter any strings in this input field, including malicious commands used to clear files or run previously uploaded files.

You might ask, "isn't it possible to avoid this risk using a client that only accepts letters of A-Z (Javascr into pt) form validation script ?" Yes, this is always a good step, but as you will see later, anyone can download any form to their machine and modify it, then resubmit any content they need.

The solution is simple: you must run the cleanup code on $ _ POST ['username. Otherwise, $ myUsername may be contaminated at any other time (such as in an array or constant.

A simple method for clearing user input is to use a regular expression to process it. In this example, only letters are allowed. It may be a good idea to limit a string to a specific number of characters, or to require that all letters be in lowercase.

PHP Security Protection List 3. making user input secure

 
 

  
  
< ?php 
  
  
$myUsername = cleanInput($_
POST[’username’]); //clean! 
  
  
$arrayarrayUsers = array(
$myUsername, ‘tom’, ‘tommy’); //clean! 
  
  
define(”GREETING”, ‘hello 
there’ . $myUsername); //clean! 
  
  
function cleanInput($input){ 
  
  
$clean = strtolower($input); 
  
  
$clean = preg_replace(”/[^a-z]
/”, “”, $clean); 
  
  
$clean = substr($clean,0,12); 
  
  
return $clean; 
  
  
} 
  
  
?> 
 
 

The above are some tips for PHP security protection.

The first thing that must be recognized for the security of Web applications is that external data should not be trusted. External data includes not directly input by programmers in PHP code...