Introduction: This is a detailed page on How to Write secure PHP code. It introduces PHP, related knowledge, skills, experience, and some PHP source code.
Class = 'pingjiaf' frameborder = '0' src = 'HTTP: // biancheng.dnbc?info/pingjia.php? Id = 329148 'rolling = 'no'>
PHP is an easy-to-learn language. Many people learn it as a way to add some interaction elements to their websites without any programming background. unfortunately, this often means that PHP programmers, especially those newer web developers, are not aware of the potential security risks on their websites. here are some common security issues and how to avoid them.
Always trust your users
It cannot be said that you should always, always, trust your users to send you the expected data. I have heard many people respond, probably "oh, no malicious people will be interested in my website ". This is wrong. Here there is always a malicious user who can exploit a security vulnerability, and the problem can be easily discovered, because a user has accidentally done something wrong.
Therefore, if I cannot compress the rules of the development of all web pages, I will always trust your users. Assuming that each piece of data your website collects from users contains malicious code, you always think that you have checked the data verified by the client, such as in Javascript, If you can achieve this goal, you should have made a good start. If PHP security is very important, it is important to learn this. Personally, "PHP security" is a major problem.
Global Variables
In many languages, you must explicitly set a variable to use it. In PHP, there is an option ", register_globals", which you can set in PHP. ini so that you can use global variables without the need to declare them in advance.
Consider the following code:
Reference content is as follows: If ($ Password = "my_password "){ $ Authorized = 1; } If ($ authorized = 1 ){ Echo "lots of important stuff ."; } |
Many people seem to have no problem, but in fact, this code is applied on the entire website. However, if a server enables "register_globals ". Then, just add "? Authorized = 1 "URL will be visible to anyone. This is the most common PHP security issue.
Fortunately, there are two simple solutions. first, it may be best to disable "register_globals. second, you must make it clear that you only use variables. in the above example, this will mean adding "? Authorized = 0 "; at the beginning of the script:
$ Authorized = 0; if ($ Password = "my_password") {$ authorized = 1;} if ($ authorized = 1) {echo "lots of important stuff. ";}
Error Message
The error message is a very useful tool for programmers and hackers. developers need them to correct errors. hackers can use them to find various information about a website, from the directory structure of the server, database login information. if possible, it is best to close all error reports. PHP can do this. htaccess or PHP. INI, set "error_reporting" to "0 ". if you have a development environment, you can set different error reporting levels.
SQL Injection
One of the biggest advantages of PHP is that it can be easily operated with the database, the most significant mysql. Many people use this database. Many websites, including this one, rely on database functions. however, as you expected, with such great power, you have to deal with huge potential security problems. fortunately, there are many solutions. the most common security problem is a database SQL Injection-when a user uses a Security fault to run SQL statements in your database. let's use a common example. many login systems have the following features: a line does not look like checking the username and password entered from the form, such as controlling access to an administrator zone:
$ Check = mysql_query ("select username, password, userlevel from users where username = '". $ _ post ['username']. "'and Password = '". $ _ post ['Password']. "'");
Looks familiar? On the surface, it seems to have done a good job. The above is not as good as it can do a lot of damage. But then again, I enter such a value in the "username" input box and submit it:
''Or 1 = 1 #
The execution statement looks like this:
Elect username, password from users where username = ''or 1 = 1 # 'and Password = '';
After the hash symbol (#) tells MySQL, everything will be ignored. so the SQL statement is actually executed to this point. 1 is always equal to 1, so SQL returns all usernames and passwords from the database. the first account name and password combination for most users to log on to the database are administrator users. They simply enter several symbols as administrators who have logged on to your website. If they actually know the username and password, they have the same power.
More articles on "How to Write secure PHP code"
Love J2EE follow Java Michael Jackson video station JSON online tools
Http://biancheng.dnbcw.info/php/329148.html pageno: 12.