Insurance protection knowledge in PHP development

PHP code security, XSS, and SQL injection are very useful for the security of various websites, especially UGC (UserGeneratedContent) websites, forums, and e-commerce websites, it is often the hardest hit area of XSS and SQL injection. This section briefly introduces some basic programming points. compared with system security, php Security defense requires programmers to provide users with security protection knowledge in PHP development.
PHP code security and XSS, SQL injection, and so on are very useful for the security of various types of websites, especially UGC (User Generated Content) websites, forums, and e-commerce websites, it is often the hardest hit area of XSS and SQL injection. This section briefly introduces some basic programming points. compared with system security, php Security defense requires programmers to be more careful with the various parameters entered by users.

Php compilation security

We recommend that you install the Suhosin patch. you must install the security patch.

Php. ini security settings

Register_global = off

Magic_quotes_gpc = off

Display_error = off

Log_error = on

# Allow_url_fopen = off

Expose_php = off

Open_basedir =

Safe_mode = on

Disable_function = exec, system, passthru, shell_exec, escapeshellarg, escapeshellcmd, proc_close, proc_open, dl, popen, show_source, get_cmd_var

Safe_mode_include_dir =

Db SQL preprocessing

Mysql_real_escape_string (many PHPer still rely on addslashes to prevent SQL injection, but this method still has problems with Chinese encoding. The problem with addslashes is that hackers can use 0xbf27 to replace single quotes. in GBK encoding, 0xbf27 is not a valid character. Therefore, addslashes only converts 0xbf5c27 into a valid multi-byte character, 0xbf5c is still regarded as a single quotation mark. for details, see this article ). You must specify the correct character set when using the mysql_real_escape_string function. otherwise, problems may still occur.

Prepare + execute (PDO)

ZendFramework can use quote or quoteInto of the DB Class. These two methods do not need to be implemented based on various databases. they are not used like mysql_real_escape_string but only for mysql.

User input processing

If you do not need to retain HTML tags, use the following method:

Strip_tags: delete all html tags in string

Htmlspecialchars, escape only the characters "<", "> ", ";", "'"

Htmlentities, escape all html

When HTML tags must be retained, consider the following tools:

HTML Purifier: HTML Purifier is a standards-compliant HTML filter library written in PHP.

Php html Sanitizer: Remove unsafe tags and attributes from HTML code

HtmLawed: PHP code to purify & filter HTML

Upload files

Use the is_uploaded_file and move_uploaded_file functions and use the HTTP_POST_FILES [] array. The PHP interpretation function of the upload directory is removed to prevent users from uploading php scripts.

You can use the File_upload module in the ZF framework.

Secure Session, Cookie, and Form processing

Do not rely on cookies for core verification. important information must be encrypted. hash the transmitted data before Form Post. for example, the form elements you send are as follows:

 



Verify the parameters after The POST is returned.

$ Str = "";

Foreach ($ _ POST ['H'] as $ key => $ value ){

$ Str. = $ key. $ value;

}

If ($ _ POST ['hash']! = Md5 ($ str. $ secret )){

Echo "Hidden form data modified"; exit;

}

PHP security detection tools (XSS and SQL Insertion)

Wapiti-Web application security auditor (Wapiti-small site vulnerability detection tool) (SQL injection/XSS attack detection tool)

Installing/Usage:

Apt-get install libtidy-0.99-0 python-ctypes python-utidylib

Python wapiti. py http: // Your Website URL/-m GET_XSS

Pixy: XSS and SQLI vulnerability for PHP (Pixy-PHP source code defect analysis tool)

Installing: apt-get install default-jdk