Security Tips-how to write secure PHP code. As the website owner or practitioner, they all hope that their websites can be operated securely. However, in many cases, website development is neglected, it is likely to become a huge security risk for the website. as the website owner or practitioner, they all hope that their websites can be operated securely. However, in many cases, there is little negligence in website development, it is likely to become a huge security risk for the website. Today, there are many web development tools and languages, and PHP is one of them. The PHP language has unparalleled security features, but it has not attracted the attention of many website developers. Website security can ensure the security of sensitive data of enterprise employees, and even effectively prevent server hijacking and other problems. I will discuss some suggestions for PHP development and hope to help you.
First, the most important thing is to find out various variables and user input data. Many variables you have never noticed may become an excellent way for malware to spread infections. We can assume that some code is not too secure on your website, but it runs normally. Attackers can exploit these vulnerabilities to launch attacks on your website. Do not underestimate these inconspicuous variable names. once these vulnerabilities are exploited by hackers, they not only delete files, but also delete the entire password system or other sensitive information, in the end, it may cause huge damage to the normal operation of the server.
The website administratorThe external input file must check whether malicious code exists in its content.At the same time, database security is also crucial. Database security will certainly involve a lot of SQL injection and other attack methods, which are not described in detail here. if you want to know database security information, I will introduce it in detail as needed.
Magic Quotes
Magic Quotes is useful when processing user file input. When this option is enabled (in your php. ini file), it will separate all single quotes and double quotes, or separate NULL bytes from your input information. When Magic is enabled A question in Quote is whether you want your users to filter the quotation marks. If you disable Magic Quote can analyze the string of user input data in "runtime.
If you are not familiar with PHP, I suggest you enable this function until you have learned how to analyze and present user input data. I personally suggest using the "clear" function I wrote. I will provide you with a template so that you can write a clear function by yourself.
Function clean ($ string) { $ String = stripslashes ($ string ); $ String = htmlentities ($ string ); $ String = strip_tags ($ string ); Return $ string; } ?> |
If your user is submitting a form that requires user name verification, you can use the following features:
$ Username = $ _ POST [username]; Echo clean ($ mystring ); ?> |
For this Magic For Quote, there are three commands to implement. You can refer to the php.net website or php manual. These three indicators are basically magic_quotes_gpc, which are used to process access requests (get, post, cookies ). Magic_quotes_runtime is used to process files, databases, and external files. The third type is magic_quotes_sybase. if it is activated, magic_quotes_gpc will be discarded directly.
Security obtained through haze
You may not have noticed it recently, but I found that ASP (Active Server Page Dynamic Server homepage) or PERL (GGI scripting language) can be found in PHP languages on some websites) extension Language. we can be 100% sure that this website uses a PHP/SQL-based architecture. This is a typical obfuscation security policy, rather than telling hackers that you are using a PHP script to mislead them into thinking that you are running PERL, python, or any other scripting language.
For example, you can use php extension to run the php script, just as in general. To prevent others from seeing your "hello. php" script, you actually use Apache to hide or confuse the real file extension. Therefore, instead of using the "hello. php" extension, you can disguise these files as PERL, and your "hello. php" is still a PHP script. As shown below:
[Quote] AddType application/x-httpd-php. asp. py. pl [/quote]
What I like most is to compile a file extension, such as. sun or. fuck.
[Quote] AddType application/x-httpd-php. sun. fuck. 1e3t [/quote]
I'm sure that when a hacker encounters a php file that seems to be running. Sun files are eager to launch attacks, and the consequences can be imagined. Try it. The above code is used in the Apache configuration file. if you are on a shared host, you will not access the Apache configuration file.
Register Globals
PHP changes a lot when version Global4.2 appears. For php. in the INI file, this is an open or closed option. PHP does not force you to use the same raw parameters as other languages, because of this, people regard it as an insecure language. When register globals is enabled, it allows the request to set parameters. The best example is the user registration form. Let's assume that register globals is enabled:
If ($ authed = true ){ Echo "my sensitive information "; } ?> |
Any user can access sensitive information by sending a GET request. You can use telnet (standard protocol for remote connection service or software for remote login) or a browser, such as sin. php? Authed = true, so that sensitive information is displayed. If we disable it, it will block this issue. now when we access sin. php? When authed is set to true, the page is blank. You cannot initialize variables from external sources. Another way to protect your variables from external sources is to check whether they are in GET or POST requests.
$ Authed = true; If (isset ($ _ POST [authed]) | $ _ GET [authed]) { Echo "variable violation "; } Else { If ($ authed = true ){ Echo "my sensitive information "; } } ?> |
By monitoring GET or POST requests, we can check whether someone has injected anything into our variables. Next, we will receive a message that not only has the variable destroyed, but also can promptly notify the administrator to take emergency measures.
...