Tip 1: Use the appropriate error reporting
Generally in the process of website development, many web programmers always forget to make bug reports, which is a huge mistake, because proper error reporting is not only the best debugging tool, but also the perfect security leak detection tool, which allows you to find out the problems you will encounter before you actually go online.
There are, of course, many ways to enable error reporting. For example, in the php.in configuration file you can set up at runtime to enable
Start Error Reporting
Error_reporting (E_all);
Deactivate Error Reporting
error_reporting (0);
Tip 2: Do not use PHP's weak property
There are several properties of PHP that need to be set to off. They are generally found in PHP4 and are not recommended in PHP5. Especially in PHP6, these attributes are removed.
Registering Global variables
When Register_globals is set to ON, the equivalent of setting Environment,get,post,cookie or server variable is defined as a global variable. At this point you do not need to write $_post[' username ' to get the form variable ' username ', only need ' $username ' to get this variable.
So you're thinking that since setting register_globals to on has such a handy advantage, why not use it? Because if you do this will bring a lot of security problems to your site and may also conflict with local variable names.
For example, look at the following code first:
if (!empty ($_post[' website ')) && $_post[' website '] = = ' http://www.cxybl.com ')
{
$access = true;
}
If the register_globals is set to on during the run, then the user only needs to transfer Access=1 in a query string to get the PHP script to run anything.
Deactivate a global variable in. htaccess
Php_flag register_globals 0
Deactivate a global variable in php.ini
Register_globals = Off
Deactivate similar magic_quotes_gpc, Magic_quotes_runtime, magic_quotes_sybase these magic quotes
Set in the. htaccess file
Php_flag MAGIC_QUOTES_GPC 0
Php_flag Magic_quotes_runtime 0
Set in php.ini
MAGIC_QUOTES_GPC = Off
Magic_quotes_runtime = Off
Magic_quotes_sybase = Off
Tip 3: Validate user input
You can, of course, validate user input, and you must first know what type of data you expect the user to enter. This can be done on the browser side to defend the user malicious attack your preparation.
Tip 4: Avoid user Cross site scripting attacks
In Web site construction, it is simple to accept the user input form and then feedback the results. When you accept user input, it can be very risky to allow HTML input, because it allows JavaScript to execute in unexpected ways, directly. Even if there were such a loophole, cookie data could be stolen, causing the user's account to be stolen.
Tip 5: Preventing SQL injection attacks
PHP basically does not provide any tools to protect your database, so when you connect to a database, you can use the following mysqli_real_escape_string function.
$username = mysqli_real_escape_string ($GET [' username ']);
mysql_query ("select * from tbl_employee WHERE username = '" $username. ""); This article links http://www.cxybl.com/html/wlbc/Php/20130601/38187.html
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
