Knowledge of security precautions in PHP programming

Register_global = Off MAGIC_QUOTES_GPC = Off Display_error = Off Log_error = On # allow_url_fopen = Off expose_php = Off Open_basedir = Safe_mode = On Disable_function = Exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen, Show_source,get_cfg_var Safe_mode_include_dir = Copy Code 2,db SQL preprocessing mysql_real_escape_string (many phper still rely on addslashes to prevent SQL injection, but this approach still has a problem with Chinese encoding.) Addslashes the problem is that hackers can use 0xbf27 instead of single quotes, GBK encoding 0xbf27 is not a legal character, so addslashes just 0xbf5c27 to become a valid multibyte character, 0XBF5C will still be considered as single quotes). With the mysql_real_escape_string function you also need to specify the correct character set, otherwise there may be a problem. Prepare + Execute (PDO) zendframework can be used in DB class quote or Quoteinto, these two methods are based on a variety of databases implemented without methods, not like Mysql_real_escape_ String can only be used for MySQL. 3, user input processing without preserving HTML tags can be strip_tags in the following ways, delete all HTML tags in string htmlspecialchars, only for "<", ">", ";", "'" Characters are escaped htmlentities, the following tools can be considered in cases where HTML tags must be preserved for all HTML to be escaped: HTML purifier:html Purifier is a standards-compliant the HTML filter library written in PHP. PHP HTML sanitizer:remove Unsafe tags and attributes from HTML code htmlawed:php code to purify & filter HTML Copy Code 4, upload file with Is_uploaded_file and move_uploaded_file function, use http_post_files[] array. And to prevent users from uploading PHP scripts by removing the PHP interpretation function of the upload directory. ZF framework can consider using the File_upload module Session,cookie and form security processing do not rely on cookies for core authentication, important information needs to be encrypted, Form post before the transfer of data hash. For example, the form element to be emitted is as follows: Verify the parameters after the post is back $str = ""; foreach ($_post[' H '] as $key = = $value) { $str. = $key. $value; } if ($_post[' hash ']! = MD5 ($str. $secret)) { echo "Hidden form data Modified"; Exit } Copy Code 5,php Security Detection Tool (XSS and SQL insertion) Wapiti-web Application Security Auditor (Wapiti-Small Site Vulnerability Detection Tool) (SQL INJECTION/XSS attack checker) 6, Installation/use: Apt-get Install libtidy-0.99-0 python-ctypes python-utidylib Python wapiti.py http://Your Website url/-M GET_XSS Copy Code PIXY:XSS and SQLI Scanner for PHP (pixy-php source Defect analysis tool) installed: Apt-get Install DEFAULT-JDK Just introduce these, if you can do all of the security measures described above, your PHP code is very safe.

