Security supplement in PHP

1. Set the directory that the script can access, which limits the PHP Trojan to a certain extent, such
Open_basedir = D:/usr/WWW

Generally, PHP files can be opened in the specified directory tree.

2. Set Disabled functions

Disable_functions, which can be used under safe_mode = off of PHP. ini.

In PHP. ini, for example
Disable_functions = phpinfo, get_assist_var
Or
Disable_functions = passthru, exec, shell_exec, system, fopen, mkdir, rmdir, chmod, unlink, Dir, fopen, fread, fclose, fwrite, file_exists, closedir, is_dir, readdir. opendir, fileperms. copy, unlink, delfile

But some file functions cannot be pulled.

 

3 open magic_quotes_gpc

It is disabled by default. If it is enabled, it is automatically escaped.

If it is disabled, use addslashes ().

4. There are many injection prevention measures on the Internet.ProgramFor example
 

<? PHP
/*
PHP full-site anti-injection program, which must be reqire_once in a public file
By dust prodigal son QQ: 156544632 http://156544632.cn
*/
// Determine the magic_quotes_gpc status
If (@ get_magic_quotes_gpc ()){
$ _ Get = Sec ($ _ Get );
$ _ Post = Sec ($ _ post );
$ _ Cookie = Sec ($ _ cookie );
$ _ FILES = Sec ($ _ files );
}
$ _ Server = Sec ($ _ server );

Function Sec (& $ array ){
// If it is an array
If (is_array ($ array )){
// Traverse the Array
Foreach ($ array as $ k => $ v ){
// Recursive call
$ Array [$ K] = Sec ($ V );
}
} Else if (is_string ($ array )){
// Stripslashes function for processing
$ Array = addslashes ($ array );
} Else if (is_numeric ($ array )){
// Intval function for processing
$ Array = intval ($ array );
}
Return $ array;
}

Function num_check ($ id ){
If (! $ Id) {die ('parameter cannot be blank! ');} // Determines whether it is null.
Elseif (inject_check ($ id) {die ('invalid parameter! ');} // Injection judgment
Elseif (! Is_numeric ($ id) {die ('invalid parameter! ');} // Number judgment
$ Id = intval ($ id); // integer
Return $ ID;
}

Function str_check ($ Str ){
$ STR = htmlspecialchars ($ Str); // convert HTML
Return $ STR;
}
Function search_check ($ Str ){
$ STR = str_replace ("_", "\ _", $ Str); // filter '_'
$ STR = str_replace ("%", "\ %", $ Str); // filter '%'
$ STR = htmlspecialchars ($ Str); // convert HTML
Return $ STR;
}

Function post_check ($ STR, $ min, $ max ){
If (isset ($ min) & strlen ($ Str) <$ min ){
Die ("minimum $ min bytes ");
} Elseif (isset ($ max) & strlen ($ Str)> $ max ){
Die ("up to $ Max bytes ");
}
Return stripslashes_array ($ Str );
}

Function inject_check ($ SQL _str ){
Return eregi ('select | insert | update | Delete | \ '| \/\ * | \. \. \/| \. \/| Union | into | load_file | OUTFILE ', $ SQL _str); // Filter
}

?>

 

 

4. Prevent Remote File Inclusion
Disable allow_url_fopen

5. Avoid saving the form and submitting it again
If ($ _ server ['request _ method'] = 'post' & (empty ($ _ server ['HTTP _ referer']) | preg_replace ("/HTTPS? : \/([^ \: \/] +). */I "," \ 1 ", $ _ server ['HTTP _ referer'])! = Preg_replace ("/([^ \:] +). */", "\ 1", $ _ server ['HTTP _ host']) {
Die ('the road is incorrect ');
}

 

6. For example, when a user returns a comment to the screen, filter out HTML
// clear HTML Code
function html_clean ($ content) {
$ content = htmlspecialchars ($ content);
$ content = str_replace ("\ n", "
", $ content );
$ content = str_replace ("", "& nbsp;", $ content);
$ content = str_replace ("\ t ", "& nbsp;", $ content);
$ content = preg_replace ("/\ [quote = (. *?) \] \ S * (. + ?) \ S * \ [\/quote \]/is ","

reference \ 1 comments:

\\ 2

", $ content);
return $ content;
}