How to make a high-security PHP website, to create a website to pay attention to the security issues summary

Source: Internet
Author: User
Tags php website
as you know, PHP is now the most popular Web application programming language. But as with other scripting languages, PHP also has several very dangerous security vulnerabilities. So in this tutorial, we'll take a look at a few practical tips to help you avoid some common PHP security issues.

Tip 1: Use the appropriate error report

Generally in the development process, many programmers always forget to make the program error report, this is a huge error, because the appropriate error report is not only the best debugging tools, but also an excellent security vulnerability detection Tool, which allows you to put the application really online before you can find out the problems you will encounter.
There are, of course, many ways to enable error reporting. For example, in the php.in configuration file you can set the runtime to enable

Start Error Reporting
Error_reporting (E_all);

Disable Error Reporting
error_reporting (0);

Tip 2: Do not use PHP's weak property

There are several properties of PHP that need to be set to off. They are generally present in PHP4 and are not recommended for use in PHP5. In particular, these attributes were removed in the final PHP6.

Registering Global variables
When Register_globals is set to ON, it is equivalent to setting Environment,get,post,cookie or the server variable is defined as a global variable. At this point you do not have to write $_post[' username ' to get the form variable ' username ', only need ' $username ' to get this variable.
Then you must be thinking that since setting register_globals for on has such handy benefits, why not use it? Because if you do this there will be a lot of security issues and may also conflict with local variable names.
For example, look at the following code first:

if (!empty ($_post[' username ')) && $_post[' username '] = = ' test123′&&!empty ($_post[' password ']) && Amp $_post[' password '] = = "Pass123″) {$access = true;}

If Register_globals is set to on during the run, then the user simply needs to transfer access=1 in a single query string to get anything that the PHP script is running.
To deactivate a global variable in. htaccess

Php_flag register_globals 0

To deactivate a global variable in php.ini

Register_globals = Off

Disable similar MAGIC_QUOTES_GPC, Magic_quotes_runtime, magic_quotes_sybase these magic quotes
Set in the. htaccess file

Php_flag MAGIC_QUOTES_GPC 0php_flag magic_quotes_runtime 0

Set in php.ini

MAGIC_QUOTES_GPC = Offmagic_quotes_runtime = Offmagic_quotes_sybase = Off

Tip 3: Verify user input

You can of course verify the user's input, first you must know what type of data you expect the user to enter. This will be able to protect users from malicious attacks on the browser side of your preparation.

Tip 4: Avoid cross-site scripting attacks by users

In a Web application, it is simple to accept the user input form and then feedback the result. When accepting user input, it is very dangerous to allow HTML format input, because it allows JavaScript to be executed in an unpredictable way. Even if there is one such loophole, cookie data can be stolen and the user's account will be stolen.

Tip 5: Preventing SQL injection attacks

PHP basically does not provide any tools to protect your database, so when you connect to the database, you can use the following mysqli_real_escape_string function.

$username = mysqli_real_escape_string ($GET [' username ']), mysql_query ("select * from tbl_employee WHERE username = '". $US Ername. "'");

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.