A few practical points for creating a high-security PHP site, security php Practical Essentials _php Tutorial

A few practical points to create a high-security PHP site, security php practical points

As you know, PHP is now the most popular Web application programming language. But as with other scripting languages, PHP also has several very dangerous security vulnerabilities. So in this tutorial, we'll take a look at a few practical tips to help you avoid some common PHP security issues.

Tip 1: Use the appropriate error report

Generally in the development process, many programmers always forget to make the program error report, this is a huge error, because the appropriate error report is not only the best debugging tools, but also an excellent security vulnerability detection Tool, which allows you to put the application really online before you can find out the problems you will encounter.

There are, of course, many ways to enable error reporting. For example, in the php.in configuration file you can set the runtime to enable

　　Start Error Reporting

Error_reporting (E_all);

　　Disable Error Reporting

error_reporting (0);

Tip 2: Do not use PHP's weak property

There are several properties of PHP that need to be set to off. They are generally present in PHP4 and are not recommended for use in PHP5. In particular, these attributes were removed in the final PHP6.

　　Registering Global variables

When Register_globals is set to ON, it is equivalent to setting Environment,get,post,cookie or the server variable is defined as a global variable. At this point you do not have to write $_post[' username ' to get the form variable ' username ', only need ' $username ' to get this variable.

Then you must be thinking that since setting register_globals for on has such handy benefits, why not use it? Because if you do this there will be a lot of security issues and may also conflict with local variable names.

For example, look at the following code first:

if (!empty ($_post[' username ')) && $_post[' username '] = = ' test123′&&!empty ($_post[' password ']) && Amp $_post[' password '] = = "Pass123″) {$access = true;}

If Register_globals is set to on during the run, then the user simply needs to transfer access=1 in a single query string to get anything that the PHP script is running.

　　To deactivate a global variable in. htaccess

Php_flag register_globals 0

　　To deactivate a global variable in php.ini

Register_globals = Off

　　Disable similar MAGIC_QUOTES_GPC, Magic_quotes_runtime, magic_quotes_sybase these magic quotes

Set in the. htaccess file

Php_flag MAGIC_QUOTES_GPC 0php_flag magic_quotes_runtime 0

Set in php.ini

MAGIC_QUOTES_GPC = Offmagic_quotes_runtime = Offmagic_quotes_sybase = Off

Tip 3: Verify user input

You can of course verify the user's input, first you must know what type of data you expect the user to enter. This will be able to protect users from malicious attacks on the browser side of your preparation.

Tip 4: Avoid cross-site scripting attacks by users

In a Web application, it is simple to accept the user input form and then feedback the result. When accepting user input, it is very dangerous to allow HTML format input, because it allows JavaScript to be executed in an unpredictable way. Even if there is one such loophole, cookie data can be stolen and the user's account will be stolen.

Tip 5: Preventing SQL injection attacks

PHP basically does not provide any tools to protect your database, so when you connect to the database, you can use the following mysqli_real_escape_string function.

$username = mysqli_real_escape_string ($GET [' username ']), mysql_query ("select * from tbl_employee WHERE username = '". $US Ername. "'");

Well, in this short article, we describe several PHP security issues that cannot be overlooked in the development process. But ultimately whether to use, how to use or developers to decide. I hope this article will help you.

http://www.bkjia.com/PHPjc/920431.html www.bkjia.com true http://www.bkjia.com/PHPjc/920431.html techarticle several practical points of creating a high-security PHP website, security php Practical points everyone knows that PHP is already the most popular Web application programming language. But it's the same with other scripting languages ...

