PHP code security, XSS, and SQL injection are very useful for the security of various websites, especially UGC (UserGeneratedContent) websites, forums, and e-commerce websites, it is often the hardest hit area of XSS and SQL injection. This section briefly introduces some basic programming points. compared with system security, php Security defense requires programmers to provide users with security protection knowledge in PHP development.
PHP code security and XSS, SQL injection, and so on are very useful for the security of various types of websites, especially UGC (User Generated Content) websites, forums, and e-commerce websites, it is often the hardest hit area of XSS and SQL injection. This section briefly introduces some basic programming points. compared with system security, php Security defense requires programmers to be more careful with the various parameters entered by users.
Php compilation security
We recommend that you install the Suhosin patch. you must install the security patch.
Mysql_real_escape_string (many PHPer still rely on addslashes to prevent SQL injection, but this method still has problems with Chinese encoding. The problem with addslashes is that hackers can use 0xbf27 to replace single quotes. in GBK encoding, 0xbf27 is not a valid character. Therefore, addslashes only converts 0xbf5c27 into a valid multi-byte character, 0xbf5c is still regarded as a single quotation mark. for details, see this article ). You must specify the correct character set when using the mysql_real_escape_string function. otherwise, problems may still occur.
Prepare + execute (PDO)
ZendFramework can use quote or quoteInto of the DB Class. These two methods do not need to be implemented based on various databases. they are not used like mysql_real_escape_string but only for mysql.
User input processing
If you do not need to retain HTML tags, use the following method:
Strip_tags: delete all html tags in string
Htmlspecialchars, escape only the characters "<", "> ", ";", "'"
Htmlentities, escape all html
When HTML tags must be retained, consider the following tools:
HTML Purifier: HTML Purifier is a standards-compliant HTML filter library written in PHP.
Php html Sanitizer: Remove unsafe tags and attributes from HTML code
HtmLawed: PHP code to purify & filter HTML
Upload files
Use the is_uploaded_file and move_uploaded_file functions and use the HTTP_POST_FILES [] array. The PHP interpretation function of the upload directory is removed to prevent users from uploading php scripts.
You can use the File_upload module in the ZF framework.
Secure Session, Cookie, and Form processing
Do not rely on cookies for core verification. important information must be encrypted. hash the transmitted data before Form Post. for example, the form elements you send are as follows:
Verify the parameters after The POST is returned.
$ Str = "";
Foreach ($ _ POST ['H'] as $ key => $ value ){
$ Str. = $ key. $ value;
}
If ($ _ POST ['hash']! = Md5 ($ str. $ secret )){
Echo "Hidden form data modified"; exit;
}
PHP security detection tools (XSS and SQL Insertion)
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.