As we all know, PHP is already the most popular Web application programming language. But like other scripting languages, PHP also has several dangerous security vulnerabilities. So in this tutorial, we will look at some practical skills to avoid some common PHP security problems.
Tip 1: Use appropriate error reportsIn the development process, many programmers forget to make program error reports. this is a great mistake, because proper error reports are not just the best debugging tool, it is also an excellent security vulnerability detection tool, which allows you to find out the problems you will encounter before the application is launched.
Of course, there are also many ways to enable error reporting. For example, in the php. in configuration file, you can set to enable it at runtime.
Start error report
error_reporting(E_ALL);
Disable error report
error_reporting(0);Tip 2: Do not use the Weak attribute of PHP
Several PHP attributes need to be set to OFF. Generally, they exist in PHP4, which is not recommended in PHP5. These attributes are removed, especially in PHP6.
Register global variables
When register_globals is set to ON, it is equivalent to setting Environment, GET, POST, COOKIE, or Server variables as global variables. In this case, you do not need to write $ _ POST ['username'] to obtain the form variable 'username'. you only need '$ username' to obtain this variable.
So you must be wondering why not use register_globals as it is so convenient to set register_globals to ON? If you do this, there will be a lot of security issues, and it may also conflict with the local variable name.
For example, first look at the following code:
if( !empty( $_POST['username'] ) && $_POST['username'] == ‘test123′ && !empty( $_POST['password'] ) && $_POST['password'] == “pass123″ ){$access = true;}
If register_globals is set to ON during running, you only need to transmit access = 1 in a query string to get everything that the PHP script runs.
Disable global variables in. htaccess
php_flag register_globals 0
Disable global variables in php. ini
register_globals = Off
Disable Magic Quotes like magic_quotes_gpc, magic_quotes_runtime, and magic_quotes_sybase.
Set in the. htaccess file
php_flag magic_quotes_gpc 0php_flag magic_quotes_runtime 0
Set in php. ini
magic_quotes_gpc = Offmagic_quotes_runtime = Offmagic_quotes_sybase = OffTip 3: verify user input
You can also verify the user input. First, you must know the data type you want the user to input. In this way, you can prepare your browser to defend against malicious attacks.
Tip 4: Avoid cross-site scripting attacksIn Web applications, users simply accept user input forms and then feedback the results. When accepting user input, it is very dangerous to allow HTML format input, because it allows JavaScript to be executed directly after being intruded in an unpredictable way. Even if there is one such vulnerability, cookie data may be stolen, resulting in user account theft.
Tip 5: prevent SQL injection attacksPHP basically does not provide any tools to protect your database, so when you connect to the database, you can use the following mysqli_real_escape_string function.
$username = mysqli_real_escape_string( $GET['username'] );mysql_query( “SELECT * FROM tbl_employee WHERE username = ’”.$username.“‘”);
Well, in this short article, we have explained several PHP security issues that cannot be ignored during development. But whether or not to use it is determined by developers. I hope this article will help you.
Everyone knows that PHP is currently the most popular Web application programming language. But it is also the same as other scripting languages...
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
