PHP security defense tips

PHP code security and XSS, SQL injection, and so on are very useful for the security of various types of websites, especially UGC (User Generated Content) websites, forums, and e-commerce websites, it is often the hardest hit area of XSS and SQL injection. This section briefly introduces some basic programming points. Compared with system security, php security defense requires programmers to be more careful with the various parameters entered by users.

Php compilation Security
We recommend that you install the Suhosin patch. You must install the security patch.

Php. ini Security Settings
Register_global = off
Magic_quotes_gpc = off
Display_error = off
Log_error = on
# Allow_url_fopen = off
Expose_php = off
Open_basedir =
Safe_mode = on
Disable_function = exec, system, passthru, shell_exec, escapeshellarg, escapeshellcmd, proc_close, proc_open, dl, popen, show_source, get_cmd_var
Safe_mode_include_dir =

Db SQL preprocessing
Mysql_real_escape_string (many PHPer still rely on addslashes to prevent SQL injection, but this method still has problems with Chinese encoding. The problem with addslashes is that hackers can use 0xbf27 to replace single quotes. in GBK encoding, 0xbf27 is not a valid character. Therefore, addslashes only converts 0xbf5c27 into a valid multi-byte character, 0xbf5c is still regarded as a single quotation mark. For details, see this article ). You must specify the correct character set when using the mysql_real_escape_string function. Otherwise, problems may still occur.
Prepare + execute (PDO)
ZendFramework can use quote or quoteInto of the DB class. These two methods do not need to be implemented based on various databases. They are not used like mysql_real_escape_string but only for mysql.

User input processing
If you do not need to retain HTML tags, use the following method:

Strip_tags: delete all html tags in string
Htmlspecialchars, escape only the characters "<", "> ", ";", "'"
Htmlentities, escape all html

When HTML tags must be retained, consider the following tools:
HTML Purifier: HTML Purifier is a standards-compliant HTML filter library written in PHP.
Php html Sanitizer: Remove unsafe tags and attributes from HTML code
HtmLawed: PHP code to purify & filter HTML

Upload files
Use the is_uploaded_file and move_uploaded_file functions and use the HTTP_POST_FILES [] array. The PHP interpretation function of the upload directory is removed to prevent users from uploading php scripts.
You can use the File_upload module in the ZF framework.

Secure Session, Cookie, and Form processing
Do not rely on cookies for core verification. Important information must be encrypted. Hash the transmitted data before Form Post. For example, the form elements you send are as follows:

Program code

<Pre lang = "php"> <input type = "hidden" name = "H [name]" value = "<? Php echo $ Oname?> "/>
<Input type = "hidden" name = "H [age]" value = "<? Php echo $ Oage?> "/>
<? Php $ sign = md5 ('name'. $ Oname. 'age'. $ Oage. $ secret);?>
<Input type = "hidden" name = "hash" value = "<? Php echo $ sign?> ""/>


Verify the parameters after the POST is returned.

Program code
Copy codeThe Code is as follows:
$ Str = "";
Foreach ($ _ POST ['H'] as $ key => $ value ){
$ Str. = $ key. $ value;
}
If ($ _ POST ['hash']! = Md5 ($ str. $ secret )){
Echo "Hidden form data modified"; exit;
}


PHP security detection tools (XSS and SQL Insertion)
Wapiti-Web application security auditor (Wapiti-small site vulnerability detection tool) (SQL injection/XSS attack detection tool)
Installing/usage:
Apt-get install libtidy-0.99-0 python-ctypes python-utidylib
Python wapiti. py http: // Your Website URL/-m GET_XSS
Pixy: XSS and SQLI vulnerability for PHP (Pixy-PHP source code Defect Analysis Tool)
Installing: apt-get install default-jdk
Remote PHP Vulnerability (Automated PHP page Defect Analysis, strong XSS detection function)
PHPIDS-PHP Intrusion Detection System