Common security issues and workarounds in PHP development

Common security issues in PHP development and solutions (e.g. SQL injection, CSRF, XSS, CC, etc.)
This article mainly introduces the common security problems in PHP development and solutions, in detail, such as SQL injection, CSRF, XSS, CC and other attack methods of the background knowledge and solutions, the need for friends can refer to the following
Talking about PHP security and anti-SQL injection, preventing XSS attack, anti-theft chain, anti-CSRF
Objective:
First of all, the author is not a Web security expert, so this is not a Web security expert-level article, but to learn notes, carefully summarize the article, there are some of us phper not easy to find or say do not pay attention to things. So I write down for easy reference later. In large companies there must be a dedicated web security tester, the security aspect is not phper to consider the scope. But as a phper for security knowledge is: "Know that there is such a thing, programming naturally have to pay attention to".
1, php some security configuration
(1) Disable PHP prompt error function
Change the display_errors into a php.ini.

display_errors = OFF

Or in the PHP file before adding

error_reporting(0)

1) use error_reporting (0); Example of failure:
A file code:

    
     error_reporting(0);  echo555echo444;  ?>

Error:

`','`';'' in E:\webphp\2.php on line 4

2) use error_reporting (0); successful example:
A file code:

    
     error_reporting(0);  include("b.php");  ?>

B File Code:

    
     echo555echo444;  ?>

This is a lot of Phper said with error_reporting (0) does not work. The first example a.php inside a fatal error, resulting in the failure to execute, unable to execute the server does not know that the function, so the same error.
In the second example, A.php executes successfully, and the server knows that there is a suppression error function, so even if the b.php error is suppressed.
PS: Unable to suppress MySQL error.

(2) Turn off some "bad features"
1) Turn off the Magic quotes function

Put MAGIC_QUOTES_GPC = off in php.ini
Avoid repeated escapes with addslashes, etc.
2) off register_globals = Off
Put register_globals = off in php.ini
In the case of register_globals = On
Address column: Http://www.jb51.net?bloger=benwin

  
   $_GET['bloger']   //因为register_globals = ON 所以这步不用了直接可以用$blogerecho$bloger;  ?>

This situation can cause some uninitialized variables to be easily modified, which may be fatal. So turn off the register_globals = Off
(3) strictly configure file permissions.
Assigning permissions to the appropriate folders, such as files that contain uploaded images, cannot have execute permissions and can only read
2, strict data validation, your users are not all "good" people.
I remember the author and a friend in the discussion of data validation, he said a word: you do not want to all your users are so bad! But I want to say that this problem should not appear in our development scenario, we have to do is to strictly verify the control of data flow, even if one of the 100 million users is a bad user is enough to kill, say good user also sometimes in the data input box inadvertently input Chinese, he has inadvertently changed "bad".
2.1 To ensure the security and robustness of the program, data validation should include
(1) Whether the critical data exists. If the delete data ID exists
(2) The data type is correct. If deleting the data id is an integer
(3) Data length. If the field is a char (10) type, it is strlen to determine the length of the data
(4) Whether the data has dangerous characters
Data validation Some people claim that the function is completed and then slowly write the security verification, and some of the side of the development side write verification. The author favors the latter, both of the authors have tried, and then found that the latter write the verification of relatively robust, the main reason is the new development when the security issues are relatively complete, such as the development of functional re-write when there are two problems, a phper eager to complete the indicator hastily finished, the second is really missing some points.
2.2 Programmers are prone to missing point or points to note:
(1) into the library data must be security verification, the author of a company in Guangzhou to participate in a company's internal system development, have seen direct P O S T number /spanarial> pass to class function c l a s s Functionn ame (

The above describes the common security problems in PHP development and solutions, including the aspects of the content, I hope that the PHP tutorial interested in a friend helpful.

