Last talk about how the controller to pass data to the view, today I will mainly say in the program how to make the code more "safe", then go to the speaking model, and then talk about how to do the view, and finally talk about the function of the controller to strengthen.
Let me state again I write this article just let you have a basic understanding of the PHP framework, because of my limited technology, this article is for beginners to learn the PHP, so the master not to spray, there is my time is also limited, so every time it may take two or three days to write an article, Every article I write time also to control within one hours, as the edge of writing this article side of the code, so the code may be a lot of bugs, forgive me!!
If you are a PHP enthusiast, please respond positively after the article, this kind of exchange can not only make my PHP technology improve, but also encouraged me to continue to write courage, thank you!!
Many people write PHP code Nothing attention, encountered a lot of warnings, directly through the error_reporting shielding, so I think the problem is very big, such as:
| 1 | <?php |
| 2 | $a = $_get[' a ']; |
| 1 | echo $a; |
If the parameter passed by get has a, then the program is very normal, but if not passed, it will throw a warning!!
My approach is to first set the error_reporting to E_strict, do not allow the program to appear warning!!
The code just might need to be modified to:
| 1 | <?php |
| 2 | $a = isset ($_get[' a '])? $_get[' A ']: '; |
| 1 | echo $a; |
In addition to this problem, there is a PHP-specific @ symbol, many people like to use this to shield the error, but I think the use of this more harm than good, because when the project is very large, there is a mistake, because this error is blocked, to find this wrong location is really difficult!!
With regard to exception handling, although try catch can be costly, I personally feel that the necessary try catch is needed for the robustness of the program.
Well, assorted said so much, looks like this and security is not too much, but for me, they are "safe" part.
Now suppose you spend 10 days writing a simple blogging system, buying a network of virtual hosts or VPS, applying domain names, website filing, and then deploying code, all of which are done, Then the user can through such as www.test.com such a domain name to visit your blog system, your blog system is very popular, a short period of time accumulated a lot of popularity, but suddenly one day, you find your site suddenly failed, how do you do?
Open the error_reporting in PHP's configuration file online, and then debug on line?
To tell you the truth, I have also been in my blog system above the online debugging, and this situation is not the same point, my blog access is very low, because I am too lazy, I do not like to manage my blog.
If your site has a lot of traffic, you can do it on the Internet is not the case, how to do it?
Log, if your site in the event of a failure before you have to write log, then the program after the failure you only need to open the log file, and then you can see the fault appears in the location, and then fix it, so OK!!
OK, now assume I am your classmate, and also participate in your blog system development, but I and you a bit of a conflict, I have a grudge, want to put your blog system destroyed, how to destroy it?
First of all assume that your database is named Test, there is a user table in this database, the user table holds 20,000 member information, I know your blog Registration system code is as follows:
| 01 | <?php |
| 02 | $username = $_post[' username ']; |
| 03 | $password = $_post[' password ']; |
| 04 | if (empty ($username) empty ($password)) { |
| 05 | Jump to the registration interface and prompt the user name or password is not filled in |
| 06 | Exit (); |
| 07 | } |
| 08 | Connecting to a database |
| 09 | Assuming that the DB class encapsulates a lot of SQL operations, the database connection is automatically closed when destructors are not written |
| 10 | $db is an instance of a database DB class that has two methods |
| 11 | $db->isusernameexists Determine whether the user name exists |
| 12 | Execute an SQL statement $db->query |
| 13 | if (! $db->isusernameexists ($username)) { |
| 14 | $db->query (INSERT into user (Username,password) VALUES (' ". $username. "','" . $password. "')"); |
| 15 | Set session and jump |
| 16 | Exit (); |
| 17 | } else { |
| 18 | Jump to the registration interface and prompt the user name already exists |
| 19 | Exit (); |
| 20 | } |
Is there a problem with this code, I believe that a lot of PHP coder will be very despise to say "you are not want to talk about SQL injection."
Indeed, this is a question of SQL injection, the problem is already very old, as if everyone knows, why do I have to say?
That's because I've seen several PHP projects written by my brother at school. They basically did not consider this problem, a lot of code to write directly, of course, if you follow the online SQL injection way to try, you will find that you can not inject, it seems that PHP has automatically helped you solve the problem, How to solve it, is actually a special character before adding a backslash.
First, why does SQL injection fail? If you have automatic escape configured in your php.ini, PHP escapes the data before you insert it into DB.
It looks like we don't have to think about it, but in fact PHP did this to make things even scarier, and if you move your program to another Linux server, This server is configured in the php.ini configuration file does not automatically escape, then your program is suddenly a big problem, we should not be the security of our code depends on the server configuration. So how do we get this thing done?
Luckily, PHP already has the addslashes function, which escapes special characters, but unfortunately, by looking at the PHP manual, you find:
By default, the PHP instruction MAGIC_QUOTES_GPC is on, and it automatically runs Addslashes () for all get, POST, and COOKIE data. Do not use Addslashes () on strings that have been escaped by MAGIC_QUOTES_GPC, because this can result in a double escape. You can use function GET_MAGIC_QUOTES_GPC () to detect this when you encounter this situation
So, luckily, PHP has provided a GET_MAGIC_QUOTES_GPC function to determine if MAGIC_QUOTES_GPC has been turned on, so we can customize a addslashes function, such as:
| 1 | <?php |
| 2 | function Myaddslashes ($STR) { |
| 3 | if (GET_MAGIC_QUOTES_GPC ()) { |
| 4 | Return addslashes ($STR); |
| 5 | } |
| 6 | } |
There are other ways to solve this problem:
1. Use PDO to access Db,pdo can use Pdostatement->bindparam, so that PDO will automatically help you do all this, and I personally think PDO very promising!!
2. If GET_MAGIC_QUOTES_GPC is on, first call stripslashes to remove the escape character, then use mysql_real_escape_string before inserting the database, I personally think this way is more reliable than the first way!!
Of course, said so much, there may be children's shoes do not know what is SQL injection, I will briefly talk about the process of SQL injection, the person familiar with SQL injection directly pass this paragraph.
According to the example above, assuming that the user entered a value of "a" in Password this field;d ROP table user ..., then the SQL statement is executed when executing sql:
Insert into User (Username,password) VALUES (' username ', ' a ');d ROP table user ... ')
This SQL first inserts a record into the user table and then deletes the entire table, then .... There was an error in SQL.
But whether or not SQL is wrong, user table has not been, for a member 10000 of the blog, users have not, I think the loss is quite large, of course, you can also connect the user's access to the database, not the right to delete the table, but this is not a radical method, or solve the SQL injection vulnerability is more reliable.
OK, to solve the SQL injection, I'll talk about XSS (Cross-site scripting vulnerabilities).
Existing PHP Script:
| 1 | <?php |
| 2 | Echo $_get[' a ']; |
I just talked about this code is problematic, it is said that sometimes will throw a warning, but if the parameters are passed when the criminals use, the problem is mostly.
Now assume that the URL to access this script is: Http://localhost/test.php?a=a, I set the value of parameter A to a, passing the past a little problem, but now suppose I change the value, the URL becomes:
http://localhost/test.php?a=<script>location.href= "http://www.tmall.com" </SCRIPT> Then executes the script when will jump to the day cat homepage, such horror!!
If this is not a jump to the day cat, but jump to a hacker set up a good web site, he will be able to get your cookie information, and then you can fake cookies, use your identity to log into the blog system, and then .... You know.
The solution to this problem is also very simple, is the string escape is OK, in fact, we can customize the Myaddslashes method to do, after invoking this method, the script can not execute, but sometimes we need to execute the script, then how to do it, We can filter the input string according to certain rules, how to use the reference manual.
To solve this problem, I say another question, the problem is CSRF (Cross-site request forgery vulnerability), this is what Dongdong!!!
Now suppose you have a system of messages, message content is rich text, users can add expressions and so on, the expression of the HTML code is assume that the user fills in the expression through the Rich text editor you provide, without any problems, but if he does not use this , but using an IMG tag to do another thing?
How do you do it? Quite simply, the SRC attribute of the img tag is changed:
Post message found that this image can not be shown, why can not be shown in fact is also very simple, is not a legitimate picture link, but when an uninformed user A to view the message, what happens, each time the user opened the page of the message, Actually will visit www.tmall.com once, if this URL is changed to Hacker's website, the result, still you understand ...
In fact, in addition to these, there are upload file loopholes and so on, because time is limited, do not say.
I'm talking about this in fact to illustrate that security is actually important, and there are actually a lot of things to think about when we're in the process.
I was going to talk today about how to solve these problems in the framework, but it's more than one hours I expected, so I'll talk about it next time.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
