PHP + MySQL security solution compiled by experts-PHP source code

On the website, we have to imagine every visitor is disgusting so that we can build a safer website. The following is a php + mysql security solution compiled by experts, which is particularly useful for beginners. On the website, we have to imagine every visitor is disgusting so that we can build a safer website. The following is a php + mysql security solution compiled by experts, which is particularly useful for beginners.

Script ec (2); script

1. Do not rely on magic_quotes on the server, although they are all open by default (magic_quotes_gpc)

Disable the following two

Ini_set ("magic_quotes_runtime", 0 );
Ini_set ("magic_quotes_sybase", 0 );

Add magic_quotes manually to all variables, that is, add addslashes

The Code is as follows:

Function stripslashes_deep ($ value ){
$ Value = is_array ($ value )?
Array_map ('stripslashes _ deep ', $ value ):
Stripslashes ($ value );
Return $ value;
}

Function strip_slashes (){
// If already slashed, strip.
// Remove the original slash and add your own magic_quotes.
If (get_magic_quotes_gpc ()){
$ _ GET = stripslashes_deep ($ _ GET );
$ _ POST = stripslashes_deep ($ _ POST );
$ _ COOKIE = stripslashes_deep ($ _ COOKIE );
$ _ SERVER = stripslashes_deep ($ _ SERVER );
$ _ REQUEST = stripslashes_deep ($ _ REQUEST );
}
$ _ GET = add_magic_quotes ($ _ GET );
$ _ POST = add_magic_quotes ($ _ POST );
$ _ COOKIE = add_magic_quotes ($ _ COOKIE );
$ _ SERVER = add_magic_quotes ($ _ SERVER );
$ _ REQUEST = add_magic_quotes ($ _ REQUEST );
}

Strip_slashes ();


It is troublesome to restore all stripslashes during display. However, if you have a template engine, you can do this in a unified manner when assigning values to variables,

For example:

Function assign ($ var, $ value = ''){
If (is_array ($ var )){
Foreach ($ var as $ k => $ v ){
$ This-> vars [$ k] = stripslashes_deep ($ v );
}
} Else {
$ This-> vars [$ var] = stripslashes_deep ($ value );
}
}


This can avoid '"and other symbols, which will be described below

2. For fields such as user names, spaces are not allowed during input, and the fields must be letters, numbers, underscores (_), or underscores (_).

For example, if you do not need to use the name, menu name, and role name, you must check the name before entering the name or replace it with null.

3. for all variables whose IDs are numbers, check whether they are numbers and forcibly convert the variables into numbers.

If the ID is of the positive or positive type, you can use encoding rules to check the ID. For example, the ID is a regular expression of a number.

4. mysql functions in php can only execute one statement at a time, that is, they are not automatically disconnected. Therefore, the append statement cannot be used for injection. It may only take effect by inserting the statement into the variable. Therefore, the delete, select, and update statements may have a damaging effect.

For example:

Delete from tbl_users where user_id = 'admin' to delete from tbl_users where user_id = 'admin or user_id <> '0', that is, in the input column: admin or user_id <> '0

So for variable parameters:
There should be no space. Remove the space.
The digit must be converted to a number.
If there are encoding rules, you must check the encoding rules.
You must add the length limit if you have a length limit.
If no injection statement exists, the SQL keyword is screened.
Replace some dangerous characters, such as "replace", % 20 for spaces, and html for special characters.
Of course, the use of addslashes still has a significant effect. For php, to insert conditions in variables, it must be done through ', so this action can completely break all attempts

5. Do not run apache, php, and mysql as system users.

6. Do not use root to connect to mysql.

7. All system error messages must be disabled or blocked.

8. Shielding non-mainstream browser user-agent

9. records all SQL operations and user ip addresses. If dangerous statements are found, the IP address can be immediately blocked, for example, three days.
If a dangerous SQL Injection statement occurs after a user logs on, the user is deleted and the IP address is blocked.

10 For the verification code, you can use Chinese characters, change the string style, and click the pop-up method.

11 if it is still insecure, it is necessary to use U shield and dedicated controls like e-banking.