Php Security overview and general rules

PHP Security overview and general rules

Introduction

As a powerful language, PHP can be installed in either a module or CGI. its interpreter can access files, run commands, and create network connections on the server. These functions may add many insecure factors to the server, but as long as PHP is correctly installed and configured, and security code is compiled, PHP is relative to Perl and C, is able to create a safer CGI program. In addition, a good balance can be found between availability and security.

PHP may be used in many different aspects. Therefore, PHP has built-in options to facilitate configuration. Although many options can make PHP do a lot of work, setting these options and configuring the server may cause security problems.

PHP has the same flexibility as its syntax. With PHP, you can create a complete Server-Side program in an environment with only shell user permissions, or use it in a strictly restricted environment to complete Server-Side inclusion) without the need to bear but too much risk. How to establish such an environment and how secure it is depends largely on PHP developers.

This chapter begins with some general security suggestions, describes how to improve security as much as possible in different environments, and describes some programming principles for different security levels.

General

Absolutely secure systems do not exist. therefore, common methods in the security industry help balance availability and risks. Double verification of each variable submitted by the user may be a very responsible action, but it may cause the user to spend a lot of time entering a complicated form, this forces some users to try to bypass the security mechanism.

The best security mechanism should be able to meet the needs without affecting users and increasing development difficulty. In fact, some security problems often occur in systems that over-strengthen security mechanisms.

Do not forget the famous equi-intensity principle: the strength of a system is determined by its weakest link (equivalent to the barrel principle ). If all transactions are recorded in detail based on the time, location, and transaction type, but user authentication only relies on one cookie, the credibility of the transaction records corresponding to the user is greatly reduced.

When debugging code, remember that even a simple page is difficult to detect all possible situations: employees who are not satisfied with you may not necessarily enter what you want, hackers also have enough time to study your system. of course, your pet cat will jump to your keyboard. This is why all the code must be checked to find out where improper data can be introduced, and then code can be improved, simplified, or enhanced.

The internet is full of people who destroy your code for fame, attack your website, and enter improper data. In short, they will make your life fun. Whether it is a large website or a small website, as long as it can be connected to the Internet, it will become a goal. Many hackers ignore the size of the website and scan the IP address mechanically to find victims. We hope that is not yours.