PHP security programming suggestions
To provide Internet services, you must always be aware of security when developing code. Most PHP scripts may not care about security issues. This is largely because a large number of inexperienced programmers are using this language. However, there is no reason for you to create inconsistent security policies due to uncertainty in your code. When you put anything on the server that involves money, someone may try to crack it. Creating a forum program or any form of Shopping Cart increases the possibility of being attacked to infinity.
Background to ensure the security of your web content, there are some general security rules:
Do not believe that form attack forms are simple. By using a simple JavaScript technique, you can limit that your form can only enter numbers 1 to 5 in the scoring field. If someone disables their browser's JavaScript function or submits custom form data, your client verification fails.
Users interact with your scripts through form parameters, so they are the biggest security risk. What should you learn? In PHP scripts, you always need to verify the data passed to any PHP script. In this article, we show you how to analyze and prevent cross-site scripting (XSS) attacks, which may hijack user creden (or even more serious ). You will also see how to prevent MySQL injection attacks that may tarnish or destroy your data.
Do not believe that the user assumes that every piece of data obtained by your website is filled with harmful code. Clean up each part, even if you believe no one will try to attack your site.
Disable global variables. The biggest security vulnerability you may have is that register_globals configuration parameters are enabled. Fortunately, this configuration is disabled by default in PHP 4.2 and later versions. IfRegister_globalsIn your php. ini file, you can disable this function by changing the register_globals variable to Off:
register_globals = Off
New programmers find it easy to register global variables, but they don't realize how dangerous this setting is. A server with global variables enabled automatically assigns any form of parameters to the global variables. Let's look at an example to learn how it works and why it is dangerous.
Suppose you have a script called process. php that inserts form data into your database. The initial form is as follows:
name="username" type="text" size="15" maxlength="64">
When you run process. php, PHP that enables global variable registration will assign this parameter to the $ username variable. This is better
$ _ POST ['username']Or
$ _ GET ['username']You can access it to save the number of times you press the key. Unfortunately, this will also leave you with security issues, because PHP will set the value of this variable to any value sent to the script through the GET or POST parameters, if you do not explicitly initialize the variable and you do not want anyone to operate on it, there will be a big problem.
Check the following script. If the value of the $ authorized variable is true, it displays the verified data to the user. Under normal circumstances, the value of the $ authorized variable is set to true only when the user passes the authentication of the hypothetical authenticated_user () function correctly. However, if you enable
Register_globalsAnyone can send a GET parameter, for example, authorized = 1 to overwrite it: