PHP Programming Security Guide

PHP Programming Security Guide
1. General
1) Lamp system security Settings
2) php.ini Security settings
3) using the MVC framework

2. Data transmission
1) in $_get $_post,$_cookie, and $_request, before disinfection and validation, programmatically manipulate all data contained in the data
2) SQL injection
Definition: Code injection technology that takes advantage of a security vulnerability that occurs at the application's database layer. The vulnerability is present when user input or an incorrect string literal escape character is embedded in an SQL statement or user input is not strongly typed, thus filtering is performed unexpectedly.
Prevention: Mysql_real_escape_string ($string)

3) Cross-site scripting (XSS)
Definition: A security vulnerability that typically browses Web pages to other users of the Web application, which allows malicious web users to inject code. Examples of this include client-side scripting (that is, JavaScript).
Prevention: Htmlentities (Strip_tags ($string))

3, the browser request
1) Cross-site request forgery (CSRF)
Definition: An attack works by including links or scripts in pages that are accessed by authorized users. For example: A website user Bob may be browsing the chat forum while another user Alice is in this forum, and the latter has just released a picture message with a Bob Bank link. Imagine Alice writing a link to a form submission that makes a withdrawal on Bob's bank site and takes the link as a picture tag. If Bob's Bank stores his authorization information in a cookie and the cookie is not expired, Bob's browser will submit the withdrawal form and his cookie when attempting to load the image, so that the transaction is authorized without the consent of Bob.
Prevention: Generate a unique "token", usually when a browser session starts. Through tokens in all post and get requests. Following the Post/get action, check for the presence of the session token, and then confirm that the mail token/get is stored in the same token as the session. (like CakePHP's MVC framework, this makes it easier to unify the entire application.) ）

4, Sessions
1) Destroys session data when a session is killed
When the session is completed ("logout"), the data is destroyed, not only by clearing the cookie, otherwise the malicious user can re-restore the cookie and use the session again. All indexes in the $_session can be empty
2) Store the session Webroot file on the Web site or store it in a database as a file
The default path to save the session on the server can be hijacked, especially in a shared host environment.

5. Password
1) Apply strong password
Passwords that require numbers, symbols, uppercase and lowercase letters
The password should be 12 to 14 characters long
2) encryption
Using at least SHA1 () hash encryption (without using MD5 ()), the hash () function provides some additional hash choices, including SHA256. Add a "specific application" to encrypt

6, the general php.ini configuration
1) Disable Register_globals
Prevention: Register_globals = Off
2) Disable Magic Quotes
Prevention: MAGIC_QUOTES_GPC = Off
3) Disable Error Reporting
Prevention: Display_errors = Off
4) Enable error logging and save log file to a directory above Web root
Prevention: log_errors = on;
Ignore_repeated_errors = on;
Html_errors = OFF;
Error_log =/path/above/webroot/logs/php_error_log
5) Save the session data to the Webroot directory
Prevention: Session.save_path =/path/above/webroot/sessions

7. Webroot downloaded. htaccess file
1) Disable Directory listings site-wide
Prevention: Options-indexes

8. Important/Sensitive documents
1) Prevent unauthorized access/download
This includes site administration/members, some Web site/database configuration files, etc.
2) Use a script file as an intermediary, as an attachment
3) constantly update your scripts (wordpress, phpMyAdmin, etc.) passwords.
4) When you are in use, you can make phpMyAdmin allow access, which prevents others against your exploitation of "0 vulnerability" damage
The "0 Vulnerability" (zero-day) is also known as a zero-point attack, which is a security vulnerability that is exploited immediately after being discovered. In layman's words, the same day that security patches and defects are exposed, the associated malicious program appears. This kind of attack often has a very abrupt and destructive nature.

9. File Upload
1) Be sure to verify the $_files before data operation to determine if the file is already in $_files
2) Note that the MIME type provided may deceive or cause him to be in a wrong way
3) All user uploaded files should be moved to the directory above the root directory of the website
4) do not perform user uploaded files, or include user uploaded files with include require.
5) Try not to set the script type to Application/octet-stream, "" Application/unknown, "or" Plain/text "

10. Other
Under Webroot, the "utility" files/programs that are created and used by website developers, if they are not intended to be accessed and used by site users, should be removed before they are placed on the extranet, reducing the security risk of the site.

PHP Programming Security Guide