PHP code Security issues

Source: Internet
Author: User

1. The website generally has a unified entrance index.php, hidden site unified portal, URL rewrite

2.svn everyone gives different permissions

3. Anti-SQL injection workaround: Use precompiled statements, typically in SQL statements

In PHP, there are two modules for MySQL database, MySQL and mysqli,mysqli means MySQL improve. MySQL's improved version, this module contains the concept of "precompilation". Like the SQL statement above, change: SELECT * from admin where username= '? ' password= '? ', it is not an SQL statement, but can be mysqli by the pre-compilation function of the first to compile him into a stmt object, After the user enters the account password, the user input "data" is bound to the location of the two question marks with Stmt->bind_param. This allows the user to enter content that is "data" and not be "code

<?php
//user-entered data
$name = ' admin ';
$pass = ' 123456 ';
//Creates a new Mysqli object, and the constructor parameter contains the database-related content.
$conn = new Mysqli (Db_host, Db_user, Db_pass, db_name, Db_port);
//Set SQL statement default encoding
$this->mysqli->set_charset ("UTF8");
Create a SQL statement that uses a wildcard
$sql = ' SELECT user_id from admin WHERE username=? and password=?;
//Compile the statement to get a stmt object.
$stmt = $conn->prepare ($sql);
/******************** After the content can be reused, do not have to compile *************************/
//Bind data with Bind_param method
//You can see, Because I left two? That is, to bind two data to it, so the first parameter is the type of data bound (S=string,i=integer), the second argument is the data to be bound
$stmt->bind_param (' SS ', $name , $pass);
//Call the Bind_param method to bind the result (if you just check if the user and password exist, or just a DML statement, do not bind the result)
//The result is the field I select to bind several
$stmt Bind_result ($user _id);
//Execute the statement
$stmt->execute ();
Get the result
if ($stmt->fetch ()) {
 echo ' landed successfully ';
 //Be sure to release the resulting resource, or you will get an error later
  $stmt->free_result ();
 return $user _id; Returns the contents of the Select to
}else{echo ' login failed ';}
?

5. Restrictions on uploading file types

6. After verifying the verification code, clear the verification code in the session.

7. Modular management of the system

8. Hidden file extensions

PHP code Security issues

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.