How to Ensure discuz plug-in Security

1. Add a non-direct execution Program

if(!defined('IN_DISCUZ')) {exit('Access Denied');}

2. Remember to filter

For example, IDS such as uid need intval filtering to avoid overflow.
Text content needs to be filtered by htmlspecialchars to avoid content deformation (dhtmlspecialchars in DZ)

3. the query conditions must be written in the middle of 'and.

This is to prevent others from using the query conditions to write overflow content.

4. All variables written into mysql must be addslashes

DZ contains daddslashes. If you do not need to filter again with DZ, DZ has POST and _ GET filter, and remember to add'

This is to avoid breaking the variable infield in step 1 to invalidate the 3rd entries.
When selecting whether to insert a field, remember not to directly use the passed code but to determine whether to add the selected field. For example
 

if($click) {$front = 'a, b ,c';$back = "'$a', '$b', '$c'";} else {$front = $back = '';}

Then, you can directly add Front and Back

The query is similar.
You must remember that if Front and Back to ''to prevent others from using it.

5. Use submitcheck () to submit the content ()
Avoid being used by others, such as using [img] Code

6. Make sure all variables are defined to prevent exploitation by others.
DZ has been improving and many new variables have been enabled and many old variables have been abandoned. I hope you can first understand whether DZ has changed or removed the previous variables during the conversion process.
For example, the wishing pool vulnerability was exploited by others because $ discuz_root was not defined.

7. Use extract, eval, and other functions with caution.
Do not use this to overwrite existing variables for intrusion purposes.

8. Remember to filter when writing stored files.
If the suffix of the stored file is PHP or other executable files, remember to add

<?PHPexit('Access Denied');?>

9. Remember to restrict the types of plug-ins that can upload attachments

To prevent others from uploading executable files, you must check whether the extension name contains the extension name. You are advised not to upload such files. If you need to upload files, change the file name.
The following content: