1. Do not rely on registering the global variable function (register_globals)
Registering a global variable has made PHP very easy to use, but it also reduces security (which often undermines security). It is recommended that you turn off the register_globals instruction when you program, and that this feature will be canceled in PHP6.
2. Initialize the variable before using it.
If the Register_globals feature is started, even if the programmer does not use it, a malicious user could exploit our system by exploiting a vulnerability to initialize the variable. Like what:
if (Conditon) {
$auth =true;
}
If the variable $auth is not initialized to false before this paragraph, then the user can pass the $_get[' auth ', $_post[' auth ', or $_cookie[' auth ' to the script to easily implement validation.
3. Inspection and purification of all input data.
4. Be careful when using variable references to include files.
If there is such code in the script:
Require ($page);
Then you should make sure that $page does not come from an external resource (such as $_get), or that if it does come from an external resource, make sure it contains the appropriate values.
5. Be careful with functions that execute commands on any server.
These functions include eval (), exec (), System (), PassThru (), Popen (), and anti-apostrophe (""). These functions are capable of executing commands on the server and should never be used arbitrarily. If you have to include it in the command, you should have a thorough security check on the variable. You should also use Escapeshellarg () escapeshellcom () for additional preprocessing.
6. Change the default Session directory, or use the database to save session data.
7. Do not use the file name provided by the browser to save uploaded files on the server.
8. If the submitted data needs to be displayed again on the Web page, be sure to note the HTML and, more importantly, the JavaScript
You can use the function
String Htmlspecialchars (String string [, int quote_style [, String CharSet]])
Processing of submitted data
9. Do not expose your PHP error messages on the site
PHP error messages can be used to make your error messages easier to check while you are developing them, but if exposed to the web, it can be an attacker's entry.
10. Prevent SQL injection attacks.
You should use database escape functions in a specific language, such as Mysqli_real_escape_data (), to ensure that the content that is committed does not break the query operation.
11. Never Save the Phpinfo () script on the server.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
