Organize some PHP development security issues

Organize some PHP development security issues

PHP gives developers a great deal of flexibility, but this also poses a potential risk to security issues, the recent need to summarize the past problems, here to lend a translation of an article at the same time with their own development of some feelings summed up.

Brief introduction

When developing an Internet service, you must always keep in mind the concept of security and be in the Code of development. The PHP scripting language does not care about security issues, especially for most inexperienced developers. Whenever you talk about transactions such as money issues, you need to pay particular attention to security considerations, such as developing a forum or a shopping cart.

General Essentials of Security protection

Don't believe in forms

For general JavaScript foreground validation, the user's behavior is not known, such as shutting down the browser's JavaScript engine, thus passing the post malicious data to the server. Validation is required on the server side to validate the data passed to each PHP script to prevent XSS attacks and SQL injection


Do not trust users

To assume that every piece of data your site receives is malicious code, there is a hidden threat to clean up every piece of data


Close Global Variables

The following configuration is made in the php.ini file:

Register_globals = Off

If this configuration option is turned on, there will be a large security risk. For example, there is a process.php script file that inserts the received data into the database, and the form that receives the user's input data might look like this:

Thus, when the data is submitted to process.php, PHP registers a $username variable, submits the variable data to the process.php, and sets such a variable for any post or GET request parameters. The following problem occurs if the display is not initialized (ref.: http://www.lai18.com/content/434606.html)

Here, suppose the Authenticated_user function is the value of judging the $authorized variable, and if the register_globals configuration is turned on, then any user can send a request to set the $ The value of the authorized variable is any value so that the validation can be bypassed.

All of these submissions should be obtained through PHP's predefined built-in global arrays, including $_post, $_get, $_files, $_server, $_request, etc., where $_request is a $_get/$_post/$_ The COOKIE is a union variable of three arrays, and the default order is $_cookie, $_post, $_get.


Recommended Security Configuration options

Error_reporting set to OFF: Do not expose the error message to the user, can be set to on when developing

Safe_mode set to Off

Register_globals set to Off

Disable the following functions: System, Exec, PassThru, shell_exec, Proc_open, Popen

The Open_basedir is set to/TMP, which allows the session information to have storage permissions while setting up a separate Web site root directory

Expose_php set to Off

Allow_url_fopen set to Off

Allow_url_include set to Off

SQL injection attacks

For SQL statements that manipulate the database, you need to pay particular attention to security, because a user might enter specific statements to make the original SQL statement change functionality. Similar to the following example:

Extended Reading

"PHP Security Programming series" series of technical Articles to organize the collection

PHP Security Programming Series Collection of knowledge about PHP security programming, to provide learning reference for PHP security programming

PHP 1discuz prevents SQL injection functions

2php ways to prevent XSS attacks

3PHP safe Programming: Escaping the output

4PHP Safe Programming: Filter User input

5PHP Security Programming: availability and Data tracking

6PHP safe programming: Do not let unrelated people see the error message

7PHP Security Programming: Register_globals Security

8PHP Secure Programming: Some principles of website security design

9PHP secure programming: About forms Spoofing Submissions

10PHP Secure Programming: HTTP request spoofing

11PHP Secure Programming: Do not expose database access rights

12PHP Secure Programming: cross-site request forgery CSRF defense

13PHP safe Programming: forms and data security

14PHP secure programming: attacking from URL semantics

15PHP Security Programming: File Upload attack defense

16PHP Security Programming: The Defense of cross-site scripting attacks

17PHP Secure Programming: Session fixed to get legal session

18PHP secure Programming: Preventing SQL injection

19PHP Safe Programming: Cookie exposure causes session hijacking

20PHP safe Programming: Protection from source code exposure

21PHP secure Programming: Pay attention to the backdoor URL

22PHP Security Programming: The Defense of Session hijacking

23PHP Security Programming: Brute Force attack

24PHP Security Programming: Password sniffing and replay attacks

25PHP Secure Programming: Remember security practices for login status

26PHP Secure Programming: Shell command injection

27PHP secure Programming: Risk of opening remote files

28PHP Security Programming: File directory guessing vulnerability

29PHP Secure Programming: Prevent file names from being manipulated

30PHP Secure Programming: file contains code injection attacks

31PHP Secure Programming: Better session data security

32PHP secure Programming: Shared host source code security

33PHP Secure Programming: Session Data injection

34PHP Secure Programming: Host file directory browsing

35PHP safe Programming: PHP Safe Mode

36php security directly with $ get value without $_get character escapes

37php prevent vulnerability policy, create high-performance web

38 What XSS attacks? PHP prevents XSS attack function

39 parsing php prevents form from repeating the submission method

The incompatible of 40php safety

41PHP prevent cross-domain submission of forms

42php prevent SQL injection from being detailed and protected

43php Preventing SQL Injection Code instances

44php Preventing SQL Injection sample analysis and several common attack regular expressions

45PHP security prevents your source code or important configuration information from being exposed

46PHP Simple example of preventing post repeating data submission

47php prevent forgery of data from URL submission method

48PHP summary of several common ways to prevent forms from repeating submissions

49php method of preventing forgery of data from address bar URL submission

50php ways to prevent remote submission of forms outside the station

51php Filter Paging parameter instance for preventing SQL injection

52PHP security attacks and workarounds that may be encountered when installing in Apache mode

53PHP security file system security and preventive measures

54PHP security file system security?? Null character issues

55PHP security database security?? SQL injection and preventative measures

Introduction and general principles of 56PHP safety

57PHP security attacks and workarounds that may be encountered when installing in CGI mode

58PHP Secure user-submitted data

59PHP security database security?? Design, connect, and encrypt

60PHP Security Magic quotes?? What are magic quotes and how to use them

61PHP Security hidden PHP script extension

62PHP Safe Use Register Globals

63PHP Security Error Report

64php method to prevent malicious refresh and swipe tickets

65php Summary of ways to prevent web sites from being refreshed

66PHP website Common Security loopholes, and corresponding preventive measures summary

