A few practical points for making a high-security PHP site, security php Practical Essentials _php Tutorial

A few practical points for making a high-security PHP website, security php practical points

As you know, PHP is now the most popular Web application programming language. But as with other scripting languages, PHP also has several very dangerous security vulnerabilities. So in this tutorial, we'll take a look at a few practical tips to help you avoid some common PHP security issues.

Tip 1: Use the appropriate error report

Generally in the development process, many programmers always forget to make the program error report, this is a huge error, because the appropriate error report is not only the best debugging tools, but also an excellent security vulnerability detection Tool, which allows you to put the application really online before you can find out the problems you will encounter.
There are, of course, many ways to enable error reporting. For example, in the php.in configuration file you can set the runtime to enable

Start Error Reporting
Error_reporting (E_all);

Disable Error Reporting
error_reporting (0);

Tip 2: Do not use PHP's weak property

There are several properties of PHP that need to be set to off. They are generally present in PHP4 and are not recommended for use in PHP5. In particular, these attributes were removed in the final PHP6.

Registering Global variables
When Register_globals is set to ON, it is equivalent to setting Environment,get,post,cookie or the server variable is defined as a global variable. At this point you do not have to write $_post[' username ' to get the form variable ' username ', only need ' $username ' to get this variable.
Then you must be thinking that since setting register_globals for on has such handy benefits, why not use it? Because if you do this there will be a lot of security issues and may also conflict with local variable names.
For example, look at the following code first:

Copy the Code code as follows:
if (!empty ($_post[' username ')) && $_post[' username '] = = ' test123′&&!empty ($_post[' password ']) && Amp $_post[' password '] = = "Pass123″)
{
$access = true;
}

If Register_globals is set to on during the run, then the user simply needs to transfer access=1 in a single query string to get anything that the PHP script is running.
To deactivate a global variable in. htaccess

Copy the Code code as follows:
Php_flag register_globals 0

To deactivate a global variable in php.ini

Copy the Code code as follows:
Register_globals = Off

Disable similar MAGIC_QUOTES_GPC, Magic_quotes_runtime, magic_quotes_sybase these magic quotes
Set in the. htaccess file

Copy the Code code as follows:
Php_flag MAGIC_QUOTES_GPC 0
Php_flag Magic_quotes_runtime 0

Set in php.ini

Copy the Code code as follows:
MAGIC_QUOTES_GPC = Off
Magic_quotes_runtime = Off
Magic_quotes_sybase = Off

Tip 3: Verify user input

You can of course verify the user's input, first you must know what type of data you expect the user to enter. This will be able to protect users from malicious attacks on the browser side of your preparation.

Tip 4: Avoid cross-site scripting attacks by users

In a Web application, it is simple to accept the user input form and then feedback the result. When accepting user input, it is very dangerous to allow HTML format input, because it allows JavaScript to be executed in an unpredictable way. Even if there is one such loophole, cookie data can be stolen and the user's account will be stolen.

Tip 5: Preventing SQL injection attacks

PHP basically does not provide any tools to protect your database, so when you connect to the database, you can use the following mysqli_real_escape_string function.

Copy the Code code as follows:
$username = mysqli_real_escape_string ($GET [' username ']);
mysql_query ("select * from tbl_employee WHERE username = '". $username. "");

Well, in this short article, we describe several PHP security issues that cannot be overlooked in the development process. But ultimately whether to use, how to use or developers to decide. I hope this article will help you.

http://www.bkjia.com/PHPjc/935492.html www.bkjia.com true http://www.bkjia.com/PHPjc/935492.html techarticle A few practical points for making a high-security PHP website, security php Practical points everyone knows that PHP is now the most popular Web application programming language. But also with other scripting languages a ...

