Security Summary of PHP project code

1: Basic Type,
Include $module. '. PHP '; $module If you get it directly, then this is a very destructive bug, Linux makes you miserable, Windows let you dump production, such security will be directly discovered by people, and effectively blocked. If you fail to do this, would you qualify as a programmer?

2: Quality of safety.
Many people will say, external variables should be addslashes once, we first regardless of the addslashes function is efficient and safe, many people actually forget to use addslashes before, also pay attention to security. Index.php?aa[]=222&, this is the URL, addslashes ($AA); The system will complain. This shows that when we use a function, we should know the different types of data and what kind of situation it will produce. Previous articles have said that the function registers the pass parameter >0 numeral type, the user passes in the letter, how to do. Many people think that is the error of the function, in my opinion, is the user's error, although it is a custom function, but you do not deceive the purpose of the parameters, puzzled by the original, this attitude has been very unsafe.

3: Pressure safety.
Now you occasionally watch 163 of the news, you will find that the browser will suddenly collapse, suspended animation, and even the browser is "closed." This reason is likely to be a Web page program code problems, but also may be the front-end JS problem, especially JS, because the JS features more flexible, in the use of circulation, assignment, not easy to check the wrong, the more prominent point is the value and error reprocessing. such as getElementById (' mydiv '); At this time, have you ever wondered if mydiv exists? Have you been modified two times? There is also a picture, many people in the picture can not load, all use OnError to display the default picture again, you have thought, if the default picture can not show it? Is it going into an infinite loop?

  4:php performance security.
    No one can say that there has never been an infinite loop that has caused Apache to crash, and that the best people have the same experience. What kind of pressure does the loop have? See a piece of code:
     foreach ($array as $val) {
     $payarr = include (' pay.inc.php ');
   & nbsp if ($payarr [0] >= 360 * 1.25 + 568) {
  $err [] = $payarr [0];
    }
  &nbs P
    This code works correctly, regardless of whether or not you include success or not, it can run successfully anyway. Of course, it is meaningless. To really implement functional requirements, this code has to be added several lines, all of which are judged. Before you introduce a file, should you first is_file to confirm that the file exists? Since it is in the loop, should you use include_once? The condition value is the numeric operation, whether writes a direct value to be better?  before the judgment, whether should determine the $payarr array value existence or not?

5: Write a program or write a judgment.
The above performance security said that the lack of a lot of judgments, that PHP is not a document to show whether the impact of unnecessary judgments on performance. See Code.
if (Is_resource ($a) = = False | | Is_array ($a) = = False | | Is_bool ($a) = = False)
echo $a;
What if we judge each time we use a variable? Is it more secure? The code is correct, echo only prints the string type, and the previous judgment is logical. This may be more like strict security, but if PHP can omit this performance pressure, this is not necessarily a good thing to write. At the very least, the requirements are achieved and security is increased. Of course, we will also be thinking, this writing, I am writing a program or writing judgment?

6: Shielding error.
Many people in the study of PHP, the teacher on the security said a word, let him deeply remember, shielding error messages. Personally, there should be a prerequisite for shielding errors. The mask is displayed, but the record cannot be blocked. One day, a page blank, let the programmer check the error, he told me that the error was blocked. Do you think that's reasonable? I let you shield the wrong, but did not let you also shield yourself, even you do not know where the error, ordinary users can know? So, when you use the php.ini mask, or at the @ sign, remember that you have to know where the error happened.

7: interface security.
I believe we all have to do interface security, whether you have wood, anyway, I have. The usual practice is to request a URL, and then PHP prints the value to the client, so that the client can do judgment processing, or display processing. In fact, it's easy for a typical PHP worker to get a URL through Firebug to know what parameters you get and what value to return, which is potentially dangerous, such as commodity reviews and commodity prices. To do this, I suggest that the interface do a layer of token, first take token and then pass the parameters. Tokey's work is very meaningful, can calculate the user is normal, IP, request time. You will be able to determine the next request for an interface. The token value is encrypted, the user is unable to use or retain, you may ask, token on a string of characters, it can always keep the request interface ah. My God. Please use the time of request.

8: Show security.
In fact, I do not fully understand the problem of showing security. For example, you need to record the user's signature, support HTML code. That submitted, before warehousing MySQL, data is addslashes, or htmlspecialchars? If it is addslashes, the front desk display, it is possible to be an XSS injection. If Htmlspecialchars, how to show the HTML code when the foreground is displayed? At the same time, can prevent XSS? A website so many variables, do you have a one to think about this problem? How to prevent attack?

9: The safety of the egg pain.
Whether you believe it or not, I believe Sohpex will have egg aches, Zend The encrypted code appears to be unusable after php5.3 version. You do this security is too unreliable, the original is the public relations security, unexpectedly handed over to the programmer to achieve. Business model does not take this kind of play