Several practical points for creating a highly secure PHP website. As we all know, PHP is already the most popular Web application programming language. But like other scripting languages, PHP also has several dangerous security vulnerabilities. Therefore, in this teaching article, we all know that PHP is currently the most popular Web application programming language. But like other scripting languages, PHP also has several dangerous security vulnerabilities. So in this tutorial, we will look at some practical skills to avoid some common PHP security problems.
Tip 1: Use appropriate error reports
In the development process, many programmers forget to make program error reports. this is a great mistake, because proper error reports are not just the best debugging tool, it is also an excellent security vulnerability detection tool, which allows you to find out the problems you will encounter before the application is launched.
Of course, there are also many ways to enable error reporting. For example, in the php. in configuration file, you can set to enable it at runtime.
Start error report
- Error_reporting (E_ALL );
Disable error report
- Error_reporting (0 );
Tip 2: Do not use the Weak attribute of PHPSeveral PHP attributes need to be set to OFF. Generally, they exist in PHP4, which is not recommended in PHP5. These attributes are removed, especially in PHP6.
Register global variables
When register_globals is set to ON, it is equivalent to setting Environment, GET, POST, COOKIE, or Server variables as global variables. In this case, you do not need to write $ _ POST ['username'] to obtain the form variable 'username'. you only need '$ username' to obtain this variable.
So you must be wondering why not use register_globals as it is so convenient to set register_globals to ON? If you do this, there will be a lot of security issues, and it may also conflict with the local variable name.
For example, first look at the following code:
- If (! Empty ($ _ POST ['username']) & $ _ POST ['username'] = 'test123 ′&&! Empty ($ _ POST ['password']) & $ _ POST ['password'] = "pass123 ″)
- {
- $ Access = true;
- }
If register_globals is set to ON during running, you only need to transmit access = 1 in a query string to get everything that the PHP script runs.
Disable global variables in. htaccess
- Php_flag register_globals 0
Disable global variables in php. ini
- Register_globals = Off
Disable Magic Quotes like magic_quotes_gpc, magic_quotes_runtime, and magic_quotes_sybase.
Set in the. htaccess file
- Php_flag magic_quotes_gpc 0
- Php_flag magic_quotes_runtime 0
Set in php. ini
- Magic_quotes_gpc = Off
-
- Magic_quotes_runtime = Off
-
- Magic_quotes_sybase = Off
-
Tip 3: verify user inputYou can also verify the user input. First, you must know the data type you want the user to input. In this way, you can prepare your browser to defend against malicious attacks.
Tip 4: Avoid cross-site scripting attacksIn Web applications, users simply accept user input forms and then feedback the results. When accepting user input, it is very dangerous to allow HTML format input, because it allows JavaScript to be executed directly after being intruded in an unpredictable way. Even if there is one such vulnerability, cookie data may be stolen, resulting in user account theft.
Tip 5: prevent SQL injection attacksPHP basically does not provide any tools to protect your database, so when you connect to the database, you can use the following mysqli_real_escape_string function.
- $ Username = mysqli_real_escape_string ($ GET ['username']);
-
- Mysql_query ("SELECT * FROM tbl_employee WHERE username = '". $ username. "'");
-
Well, in this short article, we have explained several PHP security issues that cannot be ignored during development. But whether or not to use it is determined by developers. I hope this article will help you.
From: phpzag.com
Bytes. But like other scripting languages, PHP also has several dangerous security vulnerabilities. So in this teaching article...