Novice training php Some good security habits: Turn off error prompts and strict data validation, etc.

When you use PHP for Web development, the entry needs to pay attention to some security configuration items, turn off some features, to prevent users inadvertently appear a variety of problems.

1. turn off the PHP prompt error feature

Change the display_errors to off in php.ini, or add error_reporting (0) to the php file.

Use error_reporting (0); Example of failure:

<?php  error_reporting (0);  echo 555  echo 444;  ? >

Error:

Parse error:parse error, expecting "," or ";" in E:\webphp\2.php on line 4

Many phper say that using error_reporting (0) does not work. The first example a.php inside a fatal error, resulting in the failure to execute, unable to execute the server does not know that the function, so the same error.

2. Turn off some "bad features"

1) Turn off the Magic quotes function

Put MAGIC_QUOTES_GPC = off in php.ini
Avoid repeated escapes with addslashes, etc.

2) off register_globals = Off

Put register_globals = off in php.ini

In the case of register_globals = On

<?php  //$bloger = $_get[' Bloger ')   //Because register_globals = on so this step can be used directly with the $bloger  echo $bloger;  >

This situation can cause some uninitialized variables to be easily modified, which may be fatal. So turn off the register_globals = Off

(3) strictly configure file permissions.

Assigning permissions to the appropriate folders, such as files that contain uploaded images, cannot have execute permissions and can only read

3. Strict data validation, we have to do is to strictly verify the control data flow, even if one of the 100 million users is a bad user is enough to kill, say good user also sometimes in the data input box unintentionally input Chinese, he has inadvertently changed "bad".

To ensure the security and robustness of the program, data validation should include

(1) Whether the critical data exists. If the delete data ID exists
(2) The data type is correct. If deleting the data id is an integer
(3) Data length. If the field is a char (10) type, it is strlen to determine the length of the data
(4) Whether the data has dangerous characters

Data length issues, such as Database Building table field char (25), most phper consider whether it is empty, the data type is correct, but ignore the character length, ignoring it is more lazy to judge the length.

Think that the front-end with JS to verify the verification, the background does not need to judge the verification. This is also fatal, to know the forgery of a form on a few minutes, JS judgment is only to reduce the number of user submissions to improve user experience, reduce HTTP requests to reduce server pressure, in the security situation can not prevent "villain", of course, if the legitimate user in the JS verification control is perfect, But as phper we can not only JS verification and discard again security verification.

Lack of validation of some of the form's properties such as Select, CheckBox, Radio, button, etc., these properties on the Web page developers have set their value and range (white list value), these attribute values in the JS verification generally do not verify, because the legitimate user only the right to choose the right to change, Then phper on the back end of the data processing validation will not validate the data, this is a inertial thinking, security problems have, the villain a pseudo-form.

The form corresponding element name and data table field name consistent, such as User table user Name field is user_name, then the form of the user name input box is also user_name, which is no different from Bauku.