Organize some PHP development security issues
PHP gives developers a great deal of flexibility, but this also poses a potential risk to security issues, the recent need to summarize the past problems, here to lend a translation of an article at the same time with their own development of some feelings summed up.
Brief introduction
When developing an Internet service, you must always keep in mind the concept of security and be in the Code of development. The PHP scripting language does not care about security issues, especially for most inexperienced developers. Whenever you talk about transactions such as money issues, you need to pay particular attention to security considerations, such as developing a forum or a shopping cart.
General Essentials of Security protection
Don't believe in forms
For general JavaScript foreground validation, the user's behavior is not known, such as shutting down the browser's JavaScript engine, thus passing the post malicious data to the server. Validation is required on the server side to validate the data passed to each PHP script to prevent XSS attacks and SQL injection
Do not trust users
To assume that every piece of data your site receives is malicious code, there is a hidden threat to clean up every piece of data
Close Global Variables
The following configuration is made in the php.ini file:
Register_globals = Off
If this configuration option is turned on, there will be a large security risk. For example, there is a process.php script file that inserts the received data into the database, and the form that receives the user's input data might look like this:
<input name= "username" type= "text" size= "maxlength=" >
Thus, when the data is submitted to process.php, PHP registers a $username variable, submits the variable data to the process.php, and sets such a variable for any post or GET request parameters. The following problem occurs if the display is not initialized (ref.: http://www.lai18.com/content/434606.html)
<?php//Define $authorized = True only if the user is Authenticatedif (authenticated_user ()) { $authorized = true;}? >
Here, suppose the Authenticated_user function is the value of judging the $authorized variable, and if the register_globals configuration is turned on, then any user can send a request to set the $ The value of the authorized variable is any value so that the validation can be bypassed.
All of these submissions should be obtained through PHP's predefined built-in global arrays, including $_post, $_get, $_files, $_server, $_request, etc., where $_request is a $_get/$_post/$_ The COOKIE is a union variable of three arrays, and the default order is $_cookie, $_post, $_get.
Recommended Security Configuration options
Error_reporting set to OFF: Do not expose the error message to the user, can be set to on when developing
Safe_mode set to Off
Register_globals set to Off
Disable the following functions: System, Exec, PassThru, shell_exec, Proc_open, Popen
The Open_basedir is set to/TMP, which allows the session information to have storage permissions while setting up a separate Web site root directory
Expose_php set to Off
Allow_url_fopen set to Off
Allow_url_include set to Off
SQL injection attacks
For SQL statements that manipulate the database, you need to pay particular attention to security, because a user might enter specific statements to make the original SQL statement change functionality. Similar to the following example:
Extended Reading
"PHP Security Programming series" series of technical Articles to organize the collection
PHP Security Programming Series Collection of knowledge about PHP security programming, to provide learning reference for PHP security programming
PHP 1discuz prevents SQL injection functions
2php ways to prevent XSS attacks
3PHP safe Programming: Escaping the output
4PHP Safe Programming: Filter User input
5PHP Security Programming: availability and Data tracking
6PHP safe programming: Do not let unrelated people see the error message
7PHP Security Programming: Register_globals Security
8PHP Secure Programming: Some principles of website security design
9PHP secure programming: About forms Spoofing Submissions
10PHP Secure Programming: HTTP request spoofing
11PHP Secure Programming: Do not expose database access rights
12PHP Secure Programming: cross-site request forgery CSRF defense
13PHP safe Programming: forms and data security
14PHP secure programming: attacking from URL semantics
15PHP Security Programming: File Upload attack defense
16PHP Security Programming: The Defense of cross-site scripting attacks
17PHP Secure Programming: Session fixed to get legal session
18PHP secure Programming: Preventing SQL injection
19PHP Safe Programming: Cookie exposure causes session hijacking
20PHP safe Programming: Protection from source code exposure
21PHP secure Programming: Pay attention to the backdoor URL
22PHP Security Programming: The Defense of Session hijacking
23PHP Security Programming: Brute Force attack
24PHP Security Programming: Password sniffing and replay attacks
25PHP Secure Programming: Remember security practices for login status
26PHP Secure Programming: Shell command injection
27PHP secure Programming: Risk of opening remote files
28PHP Security Programming: File directory guessing vulnerability
29PHP Secure Programming: Prevent file names from being manipulated
30PHP Secure Programming: file contains code injection attacks
31PHP Secure Programming: Better session data security
32PHP secure Programming: Shared host source code security
33PHP Secure Programming: Session Data injection
34PHP Secure Programming: Host file directory browsing
35PHP safe Programming: PHP Safe Mode
36php security directly with $ get value without $_get character escapes
37php prevent vulnerability policy, create high-performance web
38 What XSS attacks? PHP prevents XSS attack function
39 parsing php prevents form from repeating the submission method
The incompatible of 40php safety
41PHP prevent cross-domain submission of forms
42php prevent SQL injection from being detailed and protected
43php Preventing SQL Injection Code instances
44php Preventing SQL Injection sample analysis and several common attack regular expressions
45PHP security prevents your source code or important configuration information from being exposed
46PHP Simple example of preventing post repeating data submission
47php prevent forgery of data from URL submission method
48PHP summary of several common ways to prevent forms from repeating submissions
49php method of preventing forgery of data from address bar URL submission
50php ways to prevent remote submission of forms outside the station
51php Filter Paging parameter instance for preventing SQL injection
52PHP security attacks and workarounds that may be encountered when installing in Apache mode
53PHP security file system security and preventive measures
54PHP security file system security--null character issues
Safety--sql injection and preventive measures of 55PHP security database
Introduction and general principles of 56PHP safety
57PHP security attacks and workarounds that may be encountered when installing in CGI mode
58PHP Secure user-submitted data
59PHP Secure Database Security-design, connect, and encrypt
60PHP Security Magic Quotes-what are magic quotes and how to use them
61PHP Security hidden PHP script extension
62PHP Safe Use Register Globals
63PHP Security Error Report
64php method to prevent malicious refresh and swipe tickets
65php Summary of ways to prevent web sites from being refreshed
66PHP website Common Security loopholes, and corresponding preventive measures summary
Related recommendations:
Summary _php Tutorials for PHP development security issues