Some security protection issues in php are explained. As long as we have done all kinds of operations, we can basically prevent some friends from using the website's own vulnerabilities to perform website operations. many php users use htmlentities () such as XSS () to prevent XSS attacks, as long as we have done all kinds of operations, we can basically prevent some friends from using the website's own vulnerabilities to perform website operations. many php users, such as XSS using htmlentities () XSS attack prevention and SQL injection can be operated using mysql_real_escape_string.
PHP includes the security of any other network programming language, specifically in the local security and remote security, here we should develop the following habits to ensure that our PHP program itself is safe.
1. verify any data entered by the user to ensure the security of PHP code
Here, we use a whitelist. The so-called whitelist means that we require the user's data to be like this. for example, we require the user's input to be a number, we just need to check whether the value is a number, without having to check what it is-in fact, it may be a malicious script.
For this test, we cannot only perform javascript on the client side. The battlefield believes that JS is only generated to improve the user experience, rather than the verification tool. This is because any visiting user may accidentally disable the execution of client scripts, thus skipping this layer of verification. Therefore, we must check the data on the PHP server program.
2. protect database security-perform security preprocessing on SQL statements to be run in the database.
Execute the mysql_real_escape_string operation on the Mysql statement before execution at any time. for the usage of this function, see The PHP Manual. Many PHP database abstraction layers, such as ADODB, provide similar methods.
3. do not rely on PHP settings that should not be dependent on-the environment is sometimes unreliable
Magic_quotes_gpc = On. during programming, close this configuration option whenever possible and process the input data at any time. Remember -- this option will be deleted in PHP v6. Use addcslashes series functions whenever possible-please refer to the manual
4. verify the data source to avoid remote form submission
Do not use the super variable $ _ SERVER ['http _ referer'] to check the data source address. a very small Cainiao hacker will use tools to forge the data of this variable, use Md5, rand, and other functions as much as possible to generate a token. when verifying the source, verify that the token matches.
5. protect session data, especially Cookies
Cookie is stored on the user's computer. after the Cookie is saved, any user may change it for some reason. Therefore, we must encrypt sensitive data. Md5 and sha1 are both good encryption methods.
6. use htmlentities () to prevent XSS attacks
Perform htmlentities () operations on the data where the user may enter the script language. the input of most users that may generate program errors is materialized. Remember to follow the first habit: use the value in the white list in the input of the Web application name, email address, phone number, and Bill information to verify the input data.
Htmlentities () prevent XSS attacks...