PHP Four security Strategy _php skills

First, file system security
If PHP has root permission and the user is allowed to delete files in the script, then the user submits the data without filtering and it is very likely that the system files will be deleted.

<?php
Deletes the specified file from the user directory
$username = $_post[' user_submitted_name '];
$userfile = $_post[' user_submitted_filename '];
$homedir = "/home/$username";
Unlink ("$homedir/$userfile");
echo "The file has been deleted!";
?>
The above code assumes that the user submits a $userfile value of. /etc/, then the/etc directory will be deleted.
Guard against file system attacks, policies are as follows

Limited Permissions for PHP only
The user submits the variable to monitor and filter, cannot contain the special characters such as file path
Try to avoid using PHP operation files (delete), if there is a need for this, the user can delete files must be the system generated random name, can not be controlled by the user
II. Security of the database
Database security is primarily to prevent SQL injection, that is, SQL injection attacks, improve the security of the database strategy is as follows:

Do not use root account or database owner account to connect to the database, connect the database to restrict the IP of the connected user
Using PHP's PDO extension to effectively prevent SQL injection, in addition to security benefits, PHP's PDO extension has a great performance advantage
Please refer to http://php.net/manual/en/pdo.prepared-statements.php
Encrypt some sensitive information, such as encrypting a password
Third, user data filtering
Filter user data to prevent XSS and CSRF attacks

Use white list (user input is fixed mode)
such as user name can only use numeric letters, you can use function Ctype_alnum to determine
to user input using functions htmlentities or htmlspecialchars processing, The input URL does not allow incoming non-HTTP protocol
user authentication using token token (CSRF)
Http://htmlpurifier.org/HTML Purifier is an effective solution for open source prevention of XSS attacks,
Four, other security policies
Online environment shutdown Error Reporting (Error_reporting,dislay_erros, you can configure the Error_log path in php.ini to log error messages, This helps to discover possible user attacks
Register Globals, Discard (remove) features, do not use
The Magic Quote feature, do not open, have been removed in PHP-5.4
try to use the latest version of PHP, The latest version fixes a number of known vulnerabilities and Bugs
code in strict compliance with these policies, basically ensure that the code will not have too many security vulnerabilities, to prevent common attacks.