Php injection prevention

The submitted parameters are not filtered or the filtering is not rigorous. The Hacker defense line has always been attacked. Here, let's take a rough look at the preventive methods.

First of all, I personally think the most important thing is to set magic_quotes_gpc to ON. It is used to convert single quotes, double quotation marks, backslash, and empty characters into characters containing backslash, for example, In the select * from admin where username = '$ username' and password =' $ password' statement, an attacker wants to skip verification with either 1 or 1 = '1. However, the strings will be converted into the following: select * from admin where username = 'A' and password = '1 \ 'or 1 = \ '1' to prevent injection, the fact is that the addslashes () operation is automatically performed. if not, define function processing. now it seems that the PHP injection users are also quite depressed, because mysql versions earlier than myslq4 do not support substatements, and the new version of mysql will enable the magic_quotes_gpc option by default.

The solution to the file inclusion vulnerability is to require programmers to avoid using variables for parameters in the file. If variables are used, they must strictly check the file name to be included, it cannot be specified by any user. We recommend that you set global_variables to off. For example, it is necessary to restrict the PHP operation path in the preceding file. In addition, you must disable the PHP Remote File opening function unless otherwise required. Modify the php. ini file: allow_url_fopen = Off (Note: See ).

Another point I think many websites will have this problem, that is, there is no error display. there may be nothing to look at, but some people who have been staring for a long time (the words are a bit wrong) can get information such as database information and the physical path of web files through error prompts.