PHP websites with high security and php Security

Several practical points for making PHP websites with high security and php Security. PHP is the most popular Web application programming language. However, it also provides several practical points for PHP websites with high security and other scripting languages.

As we all know, PHP is already the most popular Web application programming language. But like other scripting languages, PHP also has several dangerous security vulnerabilities. So in this tutorial, we will look at some practical skills to avoid some common PHP security problems.

Tip 1: Use appropriate error reports

In the development process, many programmers forget to make program error reports. this is a great mistake, because proper error reports are not just the best debugging tool, it is also an excellent security vulnerability detection tool, which allows you to find out the problems you will encounter before the application is launched.
Of course, there are also many ways to enable error reporting. For example, in the php. in configuration file, you can set to enable it at runtime.

Start error report
Error_reporting (E_ALL );

Disable error report
Error_reporting (0 );

Tip 2: Do not use the Weak attribute of PHP

Several PHP attributes need to be set to OFF. Generally, they exist in PHP4, which is not recommended in PHP5. These attributes are removed, especially in PHP6.

Register global variables
When register_globals is set to ON, it is equivalent to setting Environment, GET, POST, COOKIE, or Server variables as global variables. In this case, you do not need to write $ _ POST ['username'] to obtain the form variable 'username'. you only need '$ username' to obtain this variable.
So you must be wondering why not use register_globals as it is so convenient to set register_globals to ON? If you do this, there will be a lot of security issues, and it may also conflict with the local variable name.
For example, first look at the following code:

The code is as follows:

If (! Empty ($ _ POST ['username']) & $ _ POST ['username'] = 'test123 ′&&! Empty ($ _ POST ['password']) & $ _ POST ['password'] = "pass123 ″)
{
$ Access = true;
}

If register_globals is set to ON during running, you only need to transmit access = 1 in a query string to get everything that the PHP script runs.
Disable global variables in. htaccess

The code is as follows:

Php_flag register_globals 0

Disable global variables in php. ini

The code is as follows:

Register_globals = Off

Disable Magic Quotes like magic_quotes_gpc, magic_quotes_runtime, and magic_quotes_sybase.
Set in the. htaccess file

The code is as follows:

Php_flag magic_quotes_gpc 0
Php_flag magic_quotes_runtime 0

Set in php. ini

The code is as follows:

Magic_quotes_gpc = Off
Magic_quotes_runtime = Off
Magic_quotes_sybase = Off

Tip 3: verify user input

You can also verify the user input. First, you must know the data type you want the user to input. In this way, you can prepare your browser to defend against malicious attacks.

Tip 4: Avoid cross-site scripting attacks

In Web applications, users simply accept user input forms and then feedback the results. When accepting user input, it is very dangerous to allow HTML format input, because it allows JavaScript to be executed directly after being intruded in an unpredictable way. Even if there is one such vulnerability, cookie data may be stolen, resulting in user account theft.

Tip 5: prevent SQL injection attacks

PHP basically does not provide any tools to protect your database, so when you connect to the database, you can use the following mysqli_real_escape_string function.

The code is as follows:

$ Username = mysqli_real_escape_string ($ GET ['username']);
Mysql_query ("SELECT * FROM tbl_employee WHERE username = '". $ username. "'");

Well, in this short article, we have explained several PHP security issues that cannot be ignored during development. But whether or not to use it is determined by developers. I hope this article will help you.

Everyone knows that PHP is currently the most popular Web application programming language. But it also works with other scripting languages...