Several practical points for creating a PHP website with high security and php Security-PHP Tutorial

Source: Internet
Author: User
Tags php website
Several practical points for creating a high-security PHP website and practical points for security php. Several practical points for creating a high-security PHP website. all of you know that php is currently the most popular Web application programming language. However, it is similar to other scripting languages to create several practical points for PHP websites with high security and php Security.

As we all know, PHP is already the most popular Web application programming language. But like other scripting languages, PHP also has several dangerous security vulnerabilities. So in this tutorial, we will look at some practical skills to avoid some common PHP security problems.

Tip 1: Use appropriate error reports

In the development process, many programmers forget to make program error reports. this is a great mistake, because proper error reports are not just the best debugging tool, it is also an excellent security vulnerability detection tool, which allows you to find out the problems you will encounter before the application is launched.

Of course, there are also many ways to enable error reporting. For example, in the php. in configuration file, you can set to enable it at runtime.

  Start error report

error_reporting(E_ALL);

  Disable error report

error_reporting(0);
Tip 2: Do not use the Weak attribute of PHP

Several PHP attributes need to be set to OFF. Generally, they exist in PHP4, which is not recommended in PHP5. These attributes are removed, especially in PHP6.

  Register global variables

When register_globals is set to ON, it is equivalent to setting Environment, GET, POST, COOKIE, or Server variables as global variables. In this case, you do not need to write $ _ POST ['username'] to obtain the form variable 'username'. you only need '$ username' to obtain this variable.

So you must be wondering why not use register_globals as it is so convenient to set register_globals to ON? If you do this, there will be a lot of security issues, and it may also conflict with the local variable name.

For example, first look at the following code:

if( !empty( $_POST['username'] ) && $_POST['username'] == ‘test123′ && !empty( $_POST['password'] ) && $_POST['password'] == “pass123″ ){$access = true;}

If register_globals is set to ON during running, you only need to transmit access = 1 in a query string to get everything that the PHP script runs.

  Disable global variables in. htaccess

php_flag register_globals 0

  Disable global variables in php. ini

register_globals = Off

  Disable Magic Quotes like magic_quotes_gpc, magic_quotes_runtime, and magic_quotes_sybase.

Set in the. htaccess file

php_flag magic_quotes_gpc 0php_flag magic_quotes_runtime 0

Set in php. ini

magic_quotes_gpc = Offmagic_quotes_runtime = Offmagic_quotes_sybase = Off
Tip 3: verify user input

You can also verify the user input. First, you must know the data type you want the user to input. In this way, you can prepare your browser to defend against malicious attacks.

Tip 4: Avoid cross-site scripting attacks

In Web applications, users simply accept user input forms and then feedback the results. When accepting user input, it is very dangerous to allow HTML format input, because it allows JavaScript to be executed directly after being intruded in an unpredictable way. Even if there is one such vulnerability, cookie data may be stolen, resulting in user account theft.

Tip 5: prevent SQL injection attacks

PHP basically does not provide any tools to protect your database, so when you connect to the database, you can use the following mysqli_real_escape_string function.

$username = mysqli_real_escape_string( $GET['username'] );mysql_query( “SELECT * FROM tbl_employee WHERE username = ’”.$username.“‘”);

Well, in this short article, we have explained several PHP security issues that cannot be ignored during development. But whether or not to use it is determined by developers. I hope this article will help you.

Everyone knows that PHP is currently the most popular Web application programming language. But it is also the same as other scripting languages...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.