1. Do not rely on the Register global Variables feature (register_globals)
Registering a global variable has made PHP very easy to use, but it also reduces security (which often breaks security). It is recommended that the Register_globals command be closed during programming and this function will be canceled in PHP6.
2. Initialize the variable before it is used.
If the Register_globals feature is started, even if the programmer does not use it, a malicious user may be able to exploit the vulnerability of the initialization variable to invade our system. Like what:
if (Conditon) {
$auth =true;
}
If the variable $auth is not initialized to false before this paragraph, then the user can pass $_get[' auth ', $_post[' auth '] or $_cookie[' auth ' to the script for easy validation.
3. Verify and purify all input data.
4. Be careful when referencing include files with variables.
If you have this code in your script:
Require ($page);
Then you should make sure that the $page does not come from an external resource (such as $_get), or if it does come from an external resource, make sure it contains the appropriate values.
5. Be careful with functions that execute commands on any server.
These functions include eval (), exec (), System (), PassThru (), Popen (), and anti-apostrophe ("). These functions are capable of executing commands on the server and should never be used arbitrarily. If you have to include that in the command, you should have a thorough security check on the variable. Additional preprocessing should also be done using Escapeshellarg () escapeshellcom ().
6. Change the default Session directory, or use the database to save session data.
7. Do not use the file name provided by the browser to save the uploaded file on the server.
8. If the submitted data needs to be re-displayed in the Web page, be sure to note the HTML and, more importantly, the JavaScript
can take advantage of functions
String Htmlspecialchars (String string [, int quote_style [, String CharSet]])
Processing of submitted data
9. Do not expose your PHP error message on the site
PHP error messages can be used to make the error message output easier for you to check, but if exposed to the web, it could be an attacker's entry.
10. Prevent SQL injection attacks.
You should use a language-specific database escape function, such as Mysqli_real_escape_data (), to ensure that the submitted content does not break the query operation.
11. Never save the Phpinfo () script on the server.
The above introduces the PHP security technology to implement PHP basic security, including the content of the contents, I hope that the PHP tutorial interested in a friend helpful.