This article mainly introduces the file system security in PHP, database security, user data security and other security-related issues, the need for friends can refer to the
First, file system security
If PHP has root permission and the user is allowed to delete files in the script, then the user submits the data without filtering and it is very likely that the system files will be deleted.
Deletes the specified file from the user directory
$username = $_post[' user_submitted_name '];
$userfile = $_post[' user_submitted_filename '];
$homedir = "/home/$username";
Unlink ("$homedir/$userfile");
echo "The file has been deleted!";
?>
The above code assumes that the user submits a $userfile value of. /etc/, then the/etc directory will be deleted.
Guard against file system attacks, policies are as follows
Limited Permissions for PHP only
The user submits the variable to monitor and filter, cannot contain the special characters such as file path
Try to avoid using PHP operation files (delete), if there is a need for this, the user can delete files must be the system generated random name, can not be controlled by the user
II. Security of the database
Database security is primarily to prevent SQL injection, that is, SQL injection attacks, improve the security of the database strategy is as follows:
Do not use root account or database owner account to connect to the database, connect the database to restrict the IP of the connected user
Using PHP's PDO extension to effectively prevent SQL injection, in addition to security benefits, PHP's PDO extension has a great performance advantage
Please refer to http://php.net/manual/en/pdo.prepared-statements.php
Encrypt some sensitive information, such as encrypting a password
Third, user data filtering
Filter user data to prevent XSS and CSRF attacks
Use Whitelist (user input is in fixed mode)
For example, the user name can only use numeric letters, then you can use function Ctype_alnum to judge
Use function htmlentities or htmlspecialchars for user input, input URL does not allow incoming non-HTTP protocol
User authentication using token token (CSRF)
Http://htmlpurifier.org/HTML Purifier is an open source, effective solution to prevent XSS attacks,
Iv. Other security Policies
Online Environment shutdown Error Reporting (Error_reporting,dislay_erros, you can configure the Error_log path in php.ini to log error messages to help identify possible user attacks)
Register Globals, Discard (remove) features, do not use
Magic Quote feature, do not open, has been removed in PHP-5.4
Try to use the latest version of PHP, the latest version fixes a number of known security vulnerabilities and bugs
Code in strict compliance with the above strategy, the basic assurance that the code will not have too many security vulnerabilities, can prevent common attacks.