Sort out some PHP development security issues and php development security issues

Source: Internet
Author: User
Tags sql injection sample

Sort out some PHP development security issues and php development security issues

Sort out some PHP development security issues

Php provides developers with great flexibility, but it also brings potential risks to security issues. We need to summarize the previous problems in the near future, here, I would like to summarize some of my development feelings by translating an article.





Introduction when developing an Internet service, you must always keep in mind the security concept and embody it in the developed code. The PHP scripting language is not concerned with security issues, especially for most inexperienced developers. Every time you talk about any transactions involving money and transactions, you need to pay special attention to security issues, such as developing a forum or a shopping cart.


General points of security protection do not trust the form

For general Javascript front-end verification, the user's behavior cannot be known, for example, the javascript engine of the browser is closed, so that malicious data is sent to the server through POST. Verify the data transmitted to each php script on the server to prevent XSS attacks and SQL injection.


Do not trust users

Assume that every piece of data received by your website has malicious code and hidden threats. Clean up every piece of data.


Disable global variables

Configure the following in the php. ini file:

register_globals = Off


If this configuration option is enabled, there will be a great security risk. For example, a script file of process. php inserts the received data into the database. The form for receiving user input data may be as follows:

<input name="username" type="text" size="15" maxlength="64">


In this way, when the data is submitted to the process. php registers a $ username variable and submits the variable data to process. php. This variable is set for any POST or GET request parameters. The following problem occurs if Initialization is not performed on the display (refer to: http://www.lai18.com/content/434606.html)

<?php// Define $authorized = true only if user is authenticatedif (authenticated_user()) {    $authorized = true;}?>


Assume that the authenticated_user function is used to determine the value of the $ authorized variable. If the register_globals configuration is enabled, any user can send a request, to set the value of the $ authorized variable to any value to bypass this verification.

All the submitted data should be obtained through the predefined Global Array of PHP, including $ _ POST, $ _ GET, $ _ FILES, $ _ SERVER, and $ _ REQUEST, $ _ REQUEST is a federated variable of $ _ GET/$ _ POST/$ _ COOKIE arrays. The default sequence is $ _ COOKIE, $ _ POST, and $ _ GET.


Recommended Security Configuration Options

Error_reporting is set to Off: do not expose error information to users. You can set it to ON during development.

Set safe_mode to Off.

Set register_globals to Off.

Disable the following functions: system, exec, passthru, shell_exec, proc_open, and popen.

Open_basedir is set to/tmp, so that session information can be stored and a separate website root directory can be set.

Set expose_php to Off

Set allow_url_fopen to Off.

Set allow_url_include to Off.


SQL injection attacks require special security when operating database SQL statements, because users may enter specific statements to change the functions of the original SQL statements. For example:

Additional reading

Collect and collect technical articles from the PHP security programming Series

The PHP security programming series favorites have collected knowledge about PHP security programming and provide a learning reference for PHP security programming.

1discuz php prevents SQL Injection Functions

2php methods to prevent xss attacks

3PHP Secure Programming: escape the output

4PHP Secure Programming: filter user input

5PHP Secure Programming: availability and data tracking

6PHP Secure Programming: do not let irrelevant people see the error message

7 PHP Secure Programming: security of register_globals

8 PHP security programming: some principles of website security design

9PHP Secure Programming: About form spoofing submission

10PHP Secure Programming: HTTP request Spoofing

11PHP Secure Programming: do not expose Database Access Permissions

12PHP Secure Programming: defense against Cross-Site Request Forgery (CSRF)

13PHP Secure Programming: Form and data security

14PHP security programming: attacks from URL Semantics

15 PHP Secure Programming: defense against File Upload attacks

16PHP security programming: defense against cross-site scripting attacks

17PHP Secure Programming: fixed session acquisition of valid sessions

18PHP Secure Programming: prevents SQL Injection

19PHP Secure Programming: session hijacking due to cookie exposure

20 PHP Secure Programming: Prevent source code exposure

21PHP Secure Programming: Pay attention to backdoor URLs

22PHP security programming: session hijacking defense

23PHP security programming: brute-force cracking

24PHP security programming: Password sniffing and replay attacks

25PHP security programming: Keep in mind the security practices of Logon status

26PHP Secure Programming: shell Command Injection

27PHP Secure Programming: Risks of opening remote files

28PHP security programming: file directory Prediction Vulnerability

29PHP Secure Programming: prevents file name manipulation

30PHP Secure Programming: file-contained code injection attacks

31PHP Secure Programming: Better session data security

32PHP Secure Programming: source code security for shared hosts

33PHP Secure Programming: session data Injection

34PHP Secure Programming: host file directory browsing

35PHP security programming: PHP security mode

36php security: GET the value directly with $ instead of the $ _ GET character escape

37php vulnerability prevention policy to create high-performance web

38 what XSS attacks? PHP functions to prevent XSS attacks

39 parsing php methods to prevent repeated form submissions

40php secure append

41PHP prevents cross-origin submission forms

42php prevents SQL Injection

43php prevents SQL Injection code instances

44php prevents SQL injection sample analysis and regular expressions for several common attacks

45PHP security prevents exposure of your source code or important configuration information

46PHP simple example of preventing repeated data submission by post

47php prevents counterfeit data from being submitted from the URL

Summary of several common methods for preventing repeated submission of forms in 48PHP

49php: how to prevent counterfeit data from being submitted from the address bar URL

50php prevents remote form submission outside the site

51php prevents SQL injection to filter paging parameter instances

52PHP security-attacks and solutions to Apache installation

53PHP security-File System Security and Prevention Measures

54PHP security-File System Security-Null character

55PHP security-database security-SQL injection and Prevention Measures

56PHP security overview and general rules

57PHP security-possible attacks and solutions during CGI Installation

58PHP security-user-submitted data

59PHP security-database security-design, connection, and encryption

Magic quotes of 60PHP security-What are magic quotes and how to use them

61PHP security-hiding the PHP script Extension

Use Register Globals for 62PHP Security

63PHP Security Error Report

64php methods to prevent malicious refresh and ticket refresh

65php methods to prevent websites from being refreshed

Summary of 66PHP website common security vulnerabilities and corresponding preventive measures


Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.