Several practical points for creating high-security PHP sites

As you all know, PHP is already the most popular Web application programming language in the present. But also, like other scripting languages, PHP has several very dangerous security vulnerabilities. So in this tutorial, we'll look at a couple of practical tips to help you avoid some of the most common PHP security issues.

Tip 1: Use the appropriate error reporting

Generally in the development process, many programmers always forget to make bug reports, this is a great mistake, because the right error reporting is not only the best debugging tools, but also a good security vulnerability detection Tool, which allows you to put the application really online before you can find out the problems you will encounter.

There are, of course, many ways to enable error reporting. For example, in the php.in configuration file you can set up at runtime to enable

Start Error Reporting

Error_reporting (E_all);

Deactivate Error Reporting

error_reporting (0);

Tip 2: Do not use PHP's weak property There are several PHP properties that need to be set to off. They are generally found in PHP4 and are not recommended in PHP5. Especially in PHP6, these attributes are removed.

Registering Global variables

When Register_globals is set to ON, the equivalent of setting Environment,get,post,cookie or server variable is defined as a global variable. At this point you do not need to write $_post [' username '] to get the form variable ' username ', only need ' $username ' to get this variable.

So you're thinking that since setting register_globals to on has such a handy advantage, why not use it? Because if you do this, you will have a lot of security problems, and it may also conflict with local variable names.

For example, look at the following code first:

if (!empty ($_post[' username ')) && $_post

[' username '] = = ' test123′&&!empty ($_post[' password ']) & amp;& $_post[' password ' = = = "Pass123″)  
{  
    $access = true;  
}

If the register_globals is set to on during the run, then the user only needs to transfer Access=1 in a query string to get the PHP script to run anything.

Deactivate a global variable in. htaccess

Php_flag register_globals 0

Deactivate a global variable in php.ini

Register_globals = Off

Deactivate similar magic_quotes_gpc, Magic_quotes_runtime, magic_quotes_sybase these magic quotes

Set in the. htaccess file

Php_flag MAGIC_QUOTES_GPC 0  
php_flag magic_quotes_runtime 0

Set in php.ini

MAGIC_QUOTES_GPC = off   
    
magic_quotes_runtime = off   
    
magic_quotes_sybase = Off

Tip 3: Validate user input You can also validate user input, and you must first know what type of data you expect the user to enter. This can be done on the browser side to defend the user malicious attack your preparation.

Tip 4: Avoid cross-site scripting attacks in Web applications, they simply accept user input forms and then feedback results. When you accept user input, it can be very risky to allow HTML input, because it allows JavaScript to execute in unexpected ways, directly. Even if there were such a loophole, cookie data could be stolen, causing the user's account to be stolen.

Tip 5: Prevent SQL injection attacks PHP basically does not provide any tools to protect your database, so when you connect to a database, you can use the following mysqli_real_escape_string function.

$username = mysqli_real_escape_string ($GET [' username ']);   
    
mysql_query ("select * from tbl_employee WHERE username = '" $username. "");

Well, in this short article, we've described several PHP security issues that we can't ignore during the development process. But ultimately whether it is used, how it is used, or what the developer decides. I hope this article will help you.