Sort out some PHP development security issues and php development security issues
Sort out some PHP development security issues
Php provides developers with great flexibility, but it also brings potential risks to security issues. We need to summarize the previous problems in the near future, here, I would like to summarize some of my development feelings by translating an article.
Introduction when developing an Internet service, you must always keep in mind the security concept and embody it in the developed code. The PHP scripting language is not concerned with security issues, especially for most inexperienced developers. Every time you talk about any transactions involving money and transactions, you need to pay special attention to security issues, such as developing a forum or a shopping cart.
General points of security protection do not trust the form
For general Javascript front-end verification, the user's behavior cannot be known, for example, the javascript engine of the browser is closed, so that malicious data is sent to the server through POST. Verify the data transmitted to each php script on the server to prevent XSS attacks and SQL injection.
Do not trust users
Assume that every piece of data received by your website has malicious code and hidden threats. Clean up every piece of data.
Disable global variables
Configure the following in the php. ini file:
register_globals = Off
If this configuration option is enabled, there will be a great security risk. For example, a script file of process. php inserts the received data into the database. The form for receiving user input data may be as follows:
<input name="username" type="text" size="15" maxlength="64">
In this way, when the data is submitted to the process. php registers a $ username variable and submits the variable data to process. php. This variable is set for any POST or GET request parameters. The following problem occurs if Initialization is not performed on the display (refer to: http://www.lai18.com/content/434606.html)
<?php// Define $authorized = true only if user is authenticatedif (authenticated_user()) { $authorized = true;}?>
Assume that the authenticated_user function is used to determine the value of the $ authorized variable. If the register_globals configuration is enabled, any user can send a request, to set the value of the $ authorized variable to any value to bypass this verification.
All the submitted data should be obtained through the predefined Global Array of PHP, including $ _ POST, $ _ GET, $ _ FILES, $ _ SERVER, and $ _ REQUEST, $ _ REQUEST is a federated variable of $ _ GET/$ _ POST/$ _ COOKIE arrays. The default sequence is $ _ COOKIE, $ _ POST, and $ _ GET.
Recommended Security Configuration Options
Error_reporting is set to Off: do not expose error information to users. You can set it to ON during development.
Set safe_mode to Off.
Set register_globals to Off.
Disable the following functions: system, exec, passthru, shell_exec, proc_open, and popen.
Open_basedir is set to/tmp, so that session information can be stored and a separate website root directory can be set.
Set expose_php to Off
Set allow_url_fopen to Off.
Set allow_url_include to Off.
SQL injection attacks require special security when operating database SQL statements, because users may enter specific statements to change the functions of the original SQL statements. For example:
Additional reading
Collect and collect technical articles from the PHP security programming Series
The PHP security programming series favorites have collected knowledge about PHP security programming and provide a learning reference for PHP security programming.
1discuz php prevents SQL Injection Functions
2php methods to prevent xss attacks
3PHP Secure Programming: escape the output
4PHP Secure Programming: filter user input
5PHP Secure Programming: availability and data tracking
6PHP Secure Programming: do not let irrelevant people see the error message
7 PHP Secure Programming: security of register_globals
8 PHP security programming: some principles of website security design
9PHP Secure Programming: About form spoofing submission
10PHP Secure Programming: HTTP request Spoofing
11PHP Secure Programming: do not expose Database Access Permissions
12PHP Secure Programming: defense against Cross-Site Request Forgery (CSRF)
13PHP Secure Programming: Form and data security
14PHP security programming: attacks from URL Semantics
15 PHP Secure Programming: defense against File Upload attacks
16PHP security programming: defense against cross-site scripting attacks
17PHP Secure Programming: fixed session acquisition of valid sessions
18PHP Secure Programming: prevents SQL Injection
19PHP Secure Programming: session hijacking due to cookie exposure
20 PHP Secure Programming: Prevent source code exposure
21PHP Secure Programming: Pay attention to backdoor URLs
22PHP security programming: session hijacking defense
23PHP security programming: brute-force cracking
24PHP security programming: Password sniffing and replay attacks
25PHP security programming: Keep in mind the security practices of Logon status
26PHP Secure Programming: shell Command Injection
27PHP Secure Programming: Risks of opening remote files
28PHP security programming: file directory Prediction Vulnerability
29PHP Secure Programming: prevents file name manipulation
30PHP Secure Programming: file-contained code injection attacks
31PHP Secure Programming: Better session data security
32PHP Secure Programming: source code security for shared hosts
33PHP Secure Programming: session data Injection
34PHP Secure Programming: host file directory browsing
35PHP security programming: PHP security mode
36php security: GET the value directly with $ instead of the $ _ GET character escape
37php vulnerability prevention policy to create high-performance web
38 what XSS attacks? PHP functions to prevent XSS attacks
39 parsing php methods to prevent repeated form submissions
40php secure append
41PHP prevents cross-origin submission forms
42php prevents SQL Injection
43php prevents SQL Injection code instances
44php prevents SQL injection sample analysis and regular expressions for several common attacks
45PHP security prevents exposure of your source code or important configuration information
46PHP simple example of preventing repeated data submission by post
47php prevents counterfeit data from being submitted from the URL
Summary of several common methods for preventing repeated submission of forms in 48PHP
49php: how to prevent counterfeit data from being submitted from the address bar URL
50php prevents remote form submission outside the site
51php prevents SQL injection to filter paging parameter instances
52PHP security-attacks and solutions to Apache installation
53PHP security-File System Security and Prevention Measures
54PHP security-File System Security-Null character
55PHP security-database security-SQL injection and Prevention Measures
56PHP security overview and general rules
57PHP security-possible attacks and solutions during CGI Installation
58PHP security-user-submitted data
59PHP security-database security-design, connection, and encryption
Magic quotes of 60PHP security-What are magic quotes and how to use them
61PHP security-hiding the PHP script Extension
Use Register Globals for 62PHP Security
63PHP Security Error Report
64php methods to prevent malicious refresh and ticket refresh
65php methods to prevent websites from being refreshed
Summary of 66PHP website common security vulnerabilities and corresponding preventive measures
Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.