Suggestions for security issues with PHP code

Source: Internet
Author: User
Tags manual md5 php server php code php database

Suggestions for security issues with PHP code


PHP includes any other network programming language security, specifically in the local security and remote security two aspects, here we should develop the following habits to ensure that our PHP program itself is safe.
1, to verify the user input any data to ensure the security of PHP code
One trick here is to use the whitelist, the so-called white list means: We ask the user's data should be like this, for example, we ask the user input is a number, we will only check whether the value is a number on the line, and do not have to test what he is-in fact, he might be a malicious script.

For this test we can not only in the client's JavaScript, the battlefield that JS is only to improve the experience of the visitors, rather than the verification tool. This layer of validation can be skipped because any visiting user may or may not accidentally disable client script execution. So we have to test this data on the PHP server-side program.

2, to protect the security of the database-to be running in the database of SQL statements for security preprocessing.
Any time you want to perform a mysql_real_escape_string operation on the MySQL statement before execution-use the PHP manual for this function. Many PHP database abstraction layers, such as ADODB, provide a similar approach.

3, do not rely on the need to rely on PHP settings-the environment is sometimes unreliable
Do not rely on, magic_quotes_gpc=on, in the process of programming, as far as possible to close this configuration option, any time to determine this option before the user input data processing. Remember--php V6 will delete this option. Try to use the Addcslashes series function at the right time--please refer to the manual

4, verify the data source, avoid remote form submission
Do not use the $_server[' Http_referer ' as the super variable to check the source address of the data, a very small novice hacker will use tools to forge this variable data, as far as possible using MD5, or Rand functions such as to produce a token, verify the source, Verify that this token matches.

5, the protection of session data, especially cookies
Cookies are saved on the user's computer, and any user may change them for some reason, and we must encrypt the sensitive data. MD5, SHA1 are a good encryption method.

6. Use Htmlentities () to prevent XSS attacks
Htmlentities () The data in the place where the user may enter the scripting language, and the majority of the user input that can generate the program error is manifested. Remember to follow the first habit: Validate the input data with the values in the whitelist in the name of the Web application, e-mail address, phone number, and billing information.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.