PHP Anti-attack method

For more answers please refer to how to effectively prevent XSS attacks/ajax cross-domain attacks

Let me say some common ways to prevent illegal users.

1 Front-end JS authentication: I think that JS authentication is just a kind of user experience promotion, simple restrictions on the general user group, so the background must have corresponding validation.

2 hidden fields in the form: I believe everyone has encountered such problems, such as: the user from a page point such as b page, b page is a form, this form has a hidden field, used to record the data from A page (such as ID, etc.), the user submitted in the background modification, the new data are dependent on this hidden field value, If this is not done well, it is likely that the user modifies the value of the hidden field, which results in garbage data. I have seen a mall, unexpectedly with the hidden field record order information, with Firebug to change the price after finding the amount of the order is I modified, a long time no attention, do not know that the problem has not been modified.

For the above questions, I generally do is a page to page B when a value is generated:

1. [Math processing Error] data. Date (' YMDH ')); $ data for the value to hide the field on page b

The generated key is then placed in the hidden field of the B-page form.
After the data is submitted, it is encrypted in the same order of encryption in the judgment as:

1. MD5 (' Formkey '). [Math processing error]_post[' key ']

I now generally use this way, do not know that there is no better way, please share ....

3 Ajax: The general Ajax request background verification is relatively small, and the best way to restrict the AJAX request address is not directly accessible through the browser, do not think that the AJAX request is more secure post.

Generally I limit the method to:

1. Isset ([Math processing error]_server[' http_x_requested_with '] = = ' XMLHttpRequest '

Of course, X_requested_with can also be forged, at least a bit more verification added.

First, share a previously used filter:

1. function check_str ([math processing Error]isurl = False)
2. {
3. [math Processing error]string);
4. [math processing error]string);
5. Empty ([math processing error]string = Preg_replace (" /& (?! (#[0-9]+| [a-z]+];)/si ", ' & ', $string);
6. [math processing error]string);
7. [math processing error]string);
8. [math processing error]string);
9. return Trim ($string);
10. }

Cut from: http://www.cnblogs.com/my37gs/archive/2011/12/07/2278697.html
1, verify the user input of any data, to ensure the security of PHP code
One trick here is to use the whitelist, which is the so-called white list: We ask the user's data to be like this, for example, we ask the user's input to be a number, we just test whether the value is a number on the line, and do not have to test what he is-in fact, he may be a malicious script.

For this test we can not only in the client's JavaScript, the battlefield think that JS is only to improve the experience of visiting users, rather than the validation of the tool. Because any visiting user may or may inadvertently disable the execution of client script, this layer of validation is skipped. So we have to test this data on the PHP server-side program.

2. Secure the database--pre-security preprocessing of SQL statements that will run on the database.
Any time you want to perform a mysql_real_escape_string operation on the MySQL statement before execution--refer to the PHP manual for the use of this function. Many PHP database abstraction layers, such as ADODB, provide a similar approach.

3. Do not rely on the PHP settings you should not rely on--the environment is sometimes unreliable
Do not rely on, magic_quotes_gpc=on, in the process of programming, try to close this configuration option, any time to judge this option before the user input data processing. Remember that this option will be removed in--php V6. Try to use the Addcslashes series functions when appropriate-please refer to the manual

4. Verify the data source and avoid the remote form submission
Do not use $_server[' http_referer ' This super variable to check the source address of the data, a very small novice hacker will use tools to forge this variable data, as far as possible, using MD5, or Rand and other functions to generate a token, verify the source, Verify that the token matches.

5. Protect session data, especially cookies
The cookie is stored on the user's computer, and it is possible for any user to change him for some reason, and we must encrypt the sensitive data. MD5, SHA1 are both encryption methods.

6. Using htmlentities () to prevent XSS attacks
Htmlentities () The data where the user might enter the scripting language, and the majority of user input that can generate a program error is manifested. Remember to follow the first habit of validating the input data with the values in the whitelist in the name of the Web application, the e-mail address, the phone number, and the input to the billing information.

PHP Aspects:
(1) Htmlspecialchars: Parameter one is to convert the string, parameter two is to set whether to convert single quotation marks, double quotation marks, and so on, parameter three is the string encoding settings.
This function turns special characters into HTML string format (&....;). The most commonly used occasion may be to deal with the message of the customer message version.
& (and) turn into &
"(double quotation marks) turn into "
< (less than) turn into &lt;
> (greater than) turn into &gt;
This function converts only the above special characters, and does not convert all of the ASCII conversions specified by the HTML.
(2) Htmlentities: Converts all string characters to a special character set string of HTML.
(3) Strip_tags: Remove HTML and PHP tags.
(4) SQL statement to add a mysql_real_escape_string ();

PHP Filter function

PHP Anti-attack method