PHP Insurance Precautions

PHP security guard

PHP code Security and Xss,sql injection are very useful for all types of websites, especially the UGC (User Generated Content) website, forums and e-commerce sites, which are often the hardest hit areas for XSS and SQL injection. Here is a brief introduction to some basic programming points, relative to the security of the system,PHP security more requires programmers to the user input parameters can be more careful.

?

Security in the PHP compilation process

?

Recommended installation of Suhosin patches, must install security patches

?

?

php. INI security settings

?

Register_global = Off
MAGIC_QUOTES_GPC = Off
Display_error = Off
Log_error = On
# allow_url_fopen = Off
expose_php = Off
Open_basedir =
Safe_mode = On
Disable_function = Exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen, Show_source,get_cfg_var
Safe_mode_include_dir =

DB SQL preprocessing

Mysql_real_escape_string (many phper still rely on addslashes to prevent SQL injection, but this approach still has a problem with Chinese encoding.) Addslashes the problem is that hackers can use 0xbf27 instead of single quotes, GBK encoding 0xbf27不是一个合法字符，因此 addslashes just 0xbf5c27 to become a valid multibyte character, where the 0xbf5c will still be considered as single quotation marks, specifically see this article). You also need to specify the correct character set with the Mysql_real_escape_string function, or you may still have problems.

Prepare + execute (PDO)
Zendframework can use the DB class of quote or Quoteinto, these two methods are based on a variety of databases implemented without methods, not like mysql_real_escape_string can only be used for MySQL

Processing of user input

There is no need to preserve HTML tags in the following ways

Strip_tags, delete all HTML tags in string
Htmlspecialchars, only the "<", ">", ";", "'" characters are escaped
Htmlentities, escaping all HTML

?

The following tools can be considered when HTML tags must be preserved:
HTML purifier:html Purifier is a standards-compliant the HTML filter library written in PHP.
PHP HTML sanitizer:remove Unsafe tags and attributes from HTML code
htmlawed:php code to purify & filter HTML

Uploading files

Using the Is_uploaded_file and Move_uploaded_file functions, use the http_post_files[] array. And to prevent users from uploading PHP scripts by removing the PHP interpretation function of the upload directory.

The File_upload module can be considered under the ZF framework

Safe handling of Session,cookie and form

Do not rely on cookies for core authentication, important information needs to be encrypted, and the data is hashed before form post, such as the form element you send out as follows:

?

 
   
?
Verify the parameters after the post is back
?
$str = ""; foreach ($_post[' H '] as $key = = $value)  $str. = $key. $value; $_post[' hash ']! = MD5 ($str. $secret))   echo "Hidden form data Modified"; Exit
?
?
PHP Security detection Tools (XSS and SQL insertion)
?
Wapiti-web Application Security Auditor (Wapiti-Small Site Vulnerability Detection Tool) (SQL INJECTION/XSS attack checker)
Installation/How to use:
apt-get install libtidy-0.99-0 python-ctypes python-utidylib
python wapiti.py http://Your Website URL/ -m GET_XSS

PIXY:XSS and SQLI Scanner for PHP (pixy-php source defect analysis Tool)
Installation:apt-get install default-jdk

Remote PHP Vulnerability Scanner (Automated PHP page defect analysis, XSS detection function is strong)
phpids-php Intrusion Detection Systems
?
?
?
?
?
?
?
