Suggestions for security issues with PHP code

Suggestions for security issues with PHP code

PHP includes any other network programming language security, specifically in the local security and remote security two aspects, here we should develop the following habits to ensure that our PHP program itself is safe.
1, to verify the user input any data to ensure the security of PHP code
One trick here is to use the whitelist, the so-called white list means: We ask the user's data should be like this, for example, we ask the user input is a number, we will only check whether the value is a number on the line, and do not have to test what he is-in fact, he might be a malicious script.

For this test we can not only in the client's JavaScript, the battlefield that JS is only to improve the experience of the visitors, rather than the verification tool. This layer of validation can be skipped because any visiting user may or may not accidentally disable client script execution. So we have to test this data on the PHP server-side program.

2, to protect the security of the database-to be running in the database of SQL statements for security preprocessing.
Any time you want to perform a mysql_real_escape_string operation on the MySQL statement before execution-use the PHP manual for this function. Many PHP database abstraction layers, such as ADODB, provide a similar approach.

3, do not rely on the need to rely on PHP settings-the environment is sometimes unreliable
Do not rely on, magic_quotes_gpc=on, in the process of programming, as far as possible to close this configuration option, any time to determine this option before the user input data processing. Remember--php V6 will delete this option. Try to use the Addcslashes series function at the right time--please refer to the manual

4, verify the data source, avoid remote form submission
Do not use the $_server[' Http_referer ' as the super variable to check the source address of the data, a very small novice hacker will use tools to forge this variable data, as far as possible using MD5, or Rand functions such as to produce a token, verify the source, Verify that this token matches.

5, the protection of session data, especially cookies
Cookies are saved on the user's computer, and any user may change them for some reason, and we must encrypt the sensitive data. MD5, SHA1 are a good encryption method.

6. Use Htmlentities () to prevent XSS attacks
Htmlentities () The data in the place where the user may enter the scripting language, and the majority of the user input that can generate the program error is manifested. Remember to follow the first habit: Validate the input data with the values in the whitelist in the name of the Web application, e-mail address, phone number, and billing information.