Php vulnerability prevention policy to create high-performance web

& Amp; nbsp; the more popular it is, the more important it is to pay attention to security vulnerability issues. Therefore, this is specially proposed in the php Tutorial! & Amp; nbsp; Tip 1: php programmers who use suitable error reports should go back to enable

The more popular it is, the more important it is to pay attention to security vulnerabilities, so it is proposed in the php Tutorial!

Tip 1: Use appropriate error reports

All good php programmers go back to enable the error report. You can use error_reporting () in php. ini to set the error level.

Enable error reporting error_reporting (E_ALL );

Disable error report error_reporting (0 );

　Tip 2: Do not use weak attributes of PHP

Many php variables and functions have been removed from the new versions of php5 and php6.

　Register_globals global variable

When register_globals is set to ON, it is equivalent to setting Environment, GET, POST, COOKIE, or Server variables as global variables. In this case, you do not need to write $ _ POST ['username'] to obtain the form variable 'username'. you only need '$ username' to obtain this variable.

So you must be wondering why not use register_globals as it is so convenient to set register_globals to ON? If you do this, there will be a lot of security issues, and it may also conflict with the local variable name.

For example, first look at the following code:

If (! Empty ($ _ POST ['username']) & $ _ POST ['username'] = 'AAA ′&&! Empty ($ _ POST ['password']) & $ _ POST ['password'] = "123 ″)

{

$ Access = true;

}

If register_globals is set to ON during running, you only need to transmit access = 1 in a query string to get everything that the PHP script runs.

Disable global variables in. htaccess

Php_flag register_globals 0

Disable global variables in php. ini

Register_globals = Off

　　Disable Magic Quotes like magic_quotes_gpc, magic_quotes_runtime, and magic_quotes_sybase.

Set in the. htaccess file

Php_flag magic_quotes_gpc 0

Php_flag magic_quotes_runtime 0

Set in php. ini

Magic_quotes_gpc = Off

Magic_quotes_runtime = Off

Magic_quotes_sybase = Off

Tip 3: verify user input. you can also verify user input. First, you must know the data type you want the user to input. In this way, you can prepare your browser to defend against malicious attacks. Php Tutorial on preventing xss attacks.

Tip 4: to prevent cross-site scripting attacks, Web applications simply accept user input forms and then report the results. When accepting user input, it is very dangerous to allow HTML format input, because it allows JavaScript to be executed directly after being intruded in an unpredictable way. Even if there is one such vulnerability, cookie data may be stolen, resulting in user account theft.

Tip 5: preventing SQL injection attacks PHP basically does not provide any tools to protect your database, so when you connect to the database, you can use the following mysql_real_escape_string function. Here are some invalid characters.