as you know, PHP is now the most popular Web application programming language. But as with other scripting languages, PHP also has several very dangerous security vulnerabilities. So in this tutorial, we'll take a look at a few practical tips to help you avoid some common PHP security issues.
Tip 1: Use the appropriate error report
Generally in the development process, many programmers always forget to make the program error report, this is a huge error, because the appropriate error report is not only the best debugging tools, but also an excellent security vulnerability detection Tool, which allows you to put the application really online before you can find out the problems you will encounter.
There are, of course, many ways to enable error reporting. For example, in the php.in configuration file you can set the runtime to enable
Start Error Reporting
Error_reporting (E_all);
Disable Error Reporting
error_reporting (0);
Tip 2: Do not use PHP's weak property
There are several properties of PHP that need to be set to off. They are generally present in PHP4 and are not recommended for use in PHP5. In particular, these attributes were removed in the final PHP6.
Registering Global variables
When Register_globals is set to ON, it is equivalent to setting Environment,get,post,cookie or the server variable is defined as a global variable. At this point you do not have to write $_post[' username ' to get the form variable ' username ', only need ' $username ' to get this variable.
Then you must be thinking that since setting register_globals for on has such handy benefits, why not use it? Because if you do this there will be a lot of security issues and may also conflict with local variable names.
For example, look at the following code first:
if (!empty ($_post[' username ')) && $_post[' username '] = = ' test123′&&!empty ($_post[' password ']) && Amp $_post[' password '] = = "Pass123″) {$access = true;}
If Register_globals is set to on during the run, then the user simply needs to transfer access=1 in a single query string to get anything that the PHP script is running.
To deactivate a global variable in. htaccess
Php_flag register_globals 0
To deactivate a global variable in php.ini
Register_globals = Off
Disable similar MAGIC_QUOTES_GPC, Magic_quotes_runtime, magic_quotes_sybase these magic quotes
Set in the. htaccess file
Php_flag MAGIC_QUOTES_GPC 0php_flag magic_quotes_runtime 0
Set in php.ini
MAGIC_QUOTES_GPC = Offmagic_quotes_runtime = Offmagic_quotes_sybase = Off
Tip 3: Verify user input
You can of course verify the user's input, first you must know what type of data you expect the user to enter. This will be able to protect users from malicious attacks on the browser side of your preparation.
Tip 4: Avoid cross-site scripting attacks by users
In a Web application, it is simple to accept the user input form and then feedback the result. When accepting user input, it is very dangerous to allow HTML format input, because it allows JavaScript to be executed in an unpredictable way. Even if there is one such loophole, cookie data can be stolen and the user's account will be stolen.
Tip 5: Preventing SQL injection attacks
PHP basically does not provide any tools to protect your database, so when you connect to the database, you can use the following mysqli_real_escape_string function.
$username = mysqli_real_escape_string ($GET [' username ']), mysql_query ("select * from tbl_employee WHERE username = '". $US Ername. "'");