PHP Security Processing

1, php.ini modified open_basedir= ' d:\wwwroot '//configuration can only access the specified site Directory

2, php.ini modify Disable_funcitons=system,passthru,exec,shellexec,popen,phpinfo//prohibit to execute some functions

3, php.ini modify Display_errors =on for display_errors =off//Suppress some errors

4. Cross-site scripting attacks (XSS)
Defense methods: Write functions or use Htmlentities to filter HTML or JavaScript tags
5. SQL Injection Vulnerability

Defense method: Write function or addslashes () to filter the SQL keyword

6. Cross-site request forgery attack (csrf-anti-theft chain)
If you want to delete a record without judging the source information, anyone can delete

Defense method: On the request page plus
SESSION_STATRT ();
$token =MD5 (Uniqid (rand (), TRUE));
$_session[' token ']= $token;
Add to the form
<input type= "hidden" name= "token" value= "<?= $token?>"/>

Verify in the Receive page such as:

if (Isset ($_session[' token ')) && $_post[' token ']==$_session[' token '])

{

Execute statement if validation succeeds

}

7. whether the form is submitted repeatedly

Workaround:

The submission page is processed as follows:

SESSION_STATRT ();

$_session[' conn ']=time ();
$_session[' Connid ']=time ();

<input type= "hidden" name= "Connid" value= "<?=$_session[' Connid ']?>"/>

The Receive page is as follows

if ($_session[' conn ']! = $_post[' Connid '])

{

Echo ' repeat submit ';

}else

{

echo ' Verification by processing content ';

}

8. File Upload Vulnerability

Filter the image type, file suffix, image size when uploading

PHP Security Processing