PHP Four security policies

This article mainly introduces the file system security in PHP, database security, user data security and other security-related issues, the need for friends can refer to the

First, file system security

If PHP has root permission and the user is allowed to delete files in the script, then the user submits the data without filtering and it is very likely that the system files will be deleted.

　　

Deletes the specified file from the user directory

$username = $_post[' user_submitted_name '];

$userfile = $_post[' user_submitted_filename '];

$homedir = "/home/$username";

Unlink ("$homedir/$userfile");

echo "The file has been deleted!";

?>

The above code assumes that the user submits a $userfile value of. /etc/, then the/etc directory will be deleted.

Guard against file system attacks, policies are as follows

Limited Permissions for PHP only

The user submits the variable to monitor and filter, cannot contain the special characters such as file path

Try to avoid using PHP operation files (delete), if there is a need for this, the user can delete files must be the system generated random name, can not be controlled by the user

II. Security of the database

Database security is primarily to prevent SQL injection, that is, SQL injection attacks, improve the security of the database strategy is as follows:

Do not use root account or database owner account to connect to the database, connect the database to restrict the IP of the connected user

Using PHP's PDO extension to effectively prevent SQL injection, in addition to security benefits, PHP's PDO extension has a great performance advantage

Please refer to http://php.net/manual/en/pdo.prepared-statements.php

Encrypt some sensitive information, such as encrypting a password

Third, user data filtering

Filter user data to prevent XSS and CSRF attacks

Use Whitelist (user input is in fixed mode)

For example, the user name can only use numeric letters, then you can use function Ctype_alnum to judge

Use function htmlentities or htmlspecialchars for user input, input URL does not allow incoming non-HTTP protocol

User authentication using token token (CSRF)

Http://htmlpurifier.org/HTML Purifier is an open source, effective solution to prevent XSS attacks,

Iv. Other security Policies

Online Environment shutdown Error Reporting (Error_reporting,dislay_erros, you can configure the Error_log path in php.ini to log error messages to help identify possible user attacks)

Register Globals, Discard (remove) features, do not use

Magic Quote feature, do not open, has been removed in PHP-5.4

Try to use the latest version of PHP, the latest version fixes a number of known security vulnerabilities and bugs

Code in strict compliance with the above strategy, the basic assurance that the code will not have too many security vulnerabilities, can prevent common attacks.