As we all know, PHP is already the most popular Web application programming language. But like other scripting languages, PHP also has several dangerous security vulnerabilities. So in this tutorial, we will look at some practical skills to avoid some common PHP security problems. As we all know, PHP is already the most popular Web application programming language. But like other scripting languages, PHP also has several dangerous security vulnerabilities. So in this tutorial, we will look at some practical skills to avoid some common PHP security problems.
Tip 1: Use appropriate error reportsIn the development process, many programmers forget to make program error reports. this is a great mistake, because proper error reports are not just the best debugging tool, it is also an excellent security vulnerability detection tool, which allows you to find out the problems you will encounter before the application is launched. Of course, there are also many ways to enable error reporting. For example, in the php. in configuration file, you can set to enable it at runtime.
Start error reportView source print?
| 1 |
Error_reporting (E_ALL ); |
Disable error reportView source print?
Tip 2: Do not use the Weak attribute of PHPSeveral PHP attributes need to be set to OFF. Generally, they exist in PHP4, which is not recommended in PHP5. These attributes are removed, especially in PHP6.
Register global variablesWhen register_globals is set to ON, it is equivalent to setting Environment, GET, POST, COOKIE, or Server variables as global variables. In this case, you do not need to write $ _ POST ['username'] to obtain the form variable 'username'. you only need '$ username' to obtain this variable.
So you must be wondering why not use register_globals as it is so convenient to set register_globals to ON? If you do this, there will be a lot of security issues, and it may also conflict with the local variable name.
For example, first look at the following code: view source print?
| 1 |
If (! Empty ($ _ POST ['username']) & $ _ POST ['username'] = 'test123 ′&&! Empty ($ _ POST ['password']) & $ _ POST ['password'] = "pass123 ″) |
If register_globals is set to ON during running, you only need to transmit access = 1 in a query string to get everything that the PHP script runs.
Disable global variables in. htaccessView source print?
| 1 |
Php_flag register_globals 0 |
Disable global variables in php. iniView source print?
Disable Magic Quotes like magic_quotes_gpc, magic_quotes_runtime, and magic_quotes_sybase.In the. htaccess file, set view source print?
| 1 |
Php_flag magic_quotes_gpc 0 |
| 2 |
Php_flag magic_quotes_runtime 0 |
Set view source print in php. ini?
| 2 |
Magic_quotes_runtime = Off |
| 3 |
Magic_quotes_sybase = Off |
Tip 3: verify user inputYou can also verify the user input. First, you must know the data type you want the user to input. In this way, you can prepare your browser to defend against malicious attacks.
Tip 4: Avoid cross-site scripting attacksIn Web applications, users simply accept user input forms and then feedback the results. When accepting user input, it is very dangerous to allow HTML format input, because it allows JavaScript to be executed directly after being intruded in an unpredictable way. Even if there is one such vulnerability, cookie data may be stolen, resulting in user account theft.
Tip 5: prevent SQL injection attacksPHP basically does not provide any tools to protect your database, so when you connect to the database, you can use the following mysqli_real_escape_string function. View source print?
| 1 |
$ Username = mysqli_real_escape_string ($ GET ['username']); |
| 2 |
Mysql_query ("SELECT * FROM tbl_employee WHERE username = '". $ username. "'"); |
Well, in this short article, we have explained several PHP security issues that cannot be ignored during development. But whether or not to use it is determined by developers. I hope this article will help you.
