PHP Security Consolidation Collection + Continuous update

#1: Managing Installation Scripts

If a developer has installed a PHP script for a third-party application, the script is used to install the entire application's working component and provide an access point. Most third-party packages recommend that you remove the installation scripts that are included in the directory after installation. But developers want to keep the installation scripts, and they can create a. htaccess file to control access to the directory.

AuthType Basic

AuthName "Administrators only"

Authuserfile/usr/local/apache/passwd/passwords

Require Valid-user

Any unauthorized user who tries to access a protected directory will see a prompt asking for a user name and password. The password must match the password in the specified "passwords" file.

#2: Header File

In many cases, developers can include several scripts that are distributed in the application into a single script. These scripts will contain an "include" directive that integrates a single file into the code of the original page. When an "include" file contains sensitive information, including the user name, password, and database access key, the file extension should be named ". php" instead of the typical ". Inc" extension. The ". PHP" extension ensures that the PHP engine will process the file and prevent any unauthorized access.

#3: MD5 vs. SHA

In some cases, the user will eventually create their own user name and password, and the site administrator will typically encrypt the password submitted by the form and save it in the database. Over the past few years, developers have used the MD5 (Message digest algorithm) function to encrypt a 128-bit string cipher. Today, many developers use the SHA-1 (Secure Hash algorithm) function to create a 160-bit string.

#4: Automatic Global variables

The settings contained in the php.ini file are called "Register_globals". P The server will automatically create global variables for server variables and query strings based on the settings of the register_globals. When installing third-party packages, such as content management software, like Joomla and Drupal, the installation script will guide the user to set the register_globals to "off". Changing the setting to off ensures that unauthorized users cannot access the data by guessing the variable name and verifying the password.

#5: Initializing variables and values

Many developers fall into the trap of instantiating variable values that may be distracted by time constraints or lack of effort. Variables in the authentication process should have values before the user logon program begins. This simple step prevents users from bypassing the validator or accessing certain areas of the site that they do not have permission to.

This article is from the Web Technology Learning blog, so be sure to keep this source http://sunis.blog.51cto.com/9260020/1539676