Common security problems in PHP development and solutions

Source: Internet
Author: User
: This article describes common security issues and solutions in PHP Development. For more information about PHP tutorials, see. Common security problems in PHP development and solutions (such as SQL injection, CSRF, Xss, and CC)
This article describes common security issues and solutions in PHP Development. It also describes the background knowledge and solutions for attacks such as SQL injection, CSRF, Xss, and CC, for more information, see
Talking about Php security and anti-SQL injection, preventing Xss attacks, anti-leeching, and anti-CSRF
Preface:
First of all, I am not an expert on web security, so this is not an expert article on web security. Instead, I take notes and carefully summarize the articles. some of them are something that phper is hard to find or do not pay attention. Therefore, I will write it down for future reference. There must be a dedicated web security tester in a large company. security is not a concern of phper. But as a phper, the security knowledge is: "When you know this, you should pay attention to programming ".
1. Some php security configurations
(1) disable the php error prompt function
In php. ini, change display_errors

display_errors = OFF

Or add

error_reporting(0)

1) use error_reporting (0); example of failure:
File A code:


  

Error:

Parse error: parse error, expecting `','' or `';'' in E:\webphp\2.php on line 4

2) use error_reporting (0); success example:
File a code:


  

File B code:


  

This is because many phper statements that error_reporting (0) does not work. In the first example, there is A fatal error in A. php, which causes it to fail to be executed. if the server cannot be executed, this function is unknown. Therefore, an error is returned.
In the second example, if a. php is successfully executed, the server knows that the error suppression function is available, so even B. php has errors.
Ps: cannot suppress mysql errors.

(2) disable some "bad functions"
1) disable magic quotes.

In php. ini, set magic_quotes_gpc = OFF.
Avoid repeated escape with addslashes
2) disable register_globals = Off
In php. ini, set register_globals to OFF.
When register_globals = ON
Address column: http://www.jb51.net? Bloger = benwin


  

In this case, some uninitialized variables are easily modified, which may be fatal. So disable register_globals = OFF.
(3) strictly configure file permissions.
Assign permissions to the corresponding folder. for example, a file containing the uploaded image cannot have the execution permission and can only be read.
2. strict data verification, your users are not all "good" people.
I remember when I talked with a friend about data verification, he said: you should not think so bad about all of your users! But what I want to say is that this problem should not occur in our development scenario. what we need to do is strictly verify and control the data stream. even if one of the 100 million users is a bad user, it is fatal, in addition, when a good user does not have the intention to enter Chinese characters in the data input box, he has inadvertently changed to "bad.
2.1 Data verification should include
(1) whether key data exists. If the deleted data id exists
(2) whether the data type is correct. If the id of the deleted data is an integer
(3) data length. If the field is char (10) type, strlen is required to determine the data length.
(4) whether the data contains dangerous characters
Some people advocate that security verification should be written slowly after the function is completed, and some adopt development and write verification. I am biased towards the latter. I have tried both of them and found that the verification written by the latter is relatively robust. The main reason is that the security problems I just came up with during development are relatively complete, there are two problems when writing the function after development. one phper is eager to complete the indicator, and the other is that some points are indeed missing.
2.2 programmers may miss the point or precautions:
(1) security verification is required for data entry into the database. when I was involved in the internal system development of a company in Guangzhou, I saw POST data to the class function classFunctionName (

The above describes the common security problems and solutions in PHP development, including some content, and hopes to help those who are interested in PHP tutorials.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.