PHP code security and XSS, SQL injection and other sites for the safety of all kinds of very useful, especially UGC (User Generated Content) sites, forums and e-commerce sites, often XSS and SQL injection hardest hit. Here is a brief introduction to some of the basic programming points, relative to system security, PHP security requires more of the programmer to enter the user parameters can be more careful.
php compilation process of security
Recommended to install Suhosin patch, will install security patches
php.ini security settings
register_global = off
magic_quotes_gpc = off
display_error = off
log_error = on
# allow_url_fopen = off
expose_php = off
open_basedir =
safe_mode = on
disable_function = exec system passthru shell_exec escapeshellarg escapeshellcmd proc_close proc_open dl popen show_source get_cfg_var
safe_mode_include_dir =
DB SQL preprocessing
mysql_real_escape_string (Many PHP still rely on addslashes to prevent SQL injection, but this way of encoding Chinese is still a problem .addslashes the problem is that hackers can use 0xbf27 instead of single quotes GBK encoding 0xbf27 not a legal character, addslashes just 0xbf5c27 becomes a valid multibyte character, of which 0xbf5c will still be treated as single quotes, as detailed in this article). Mysql_real_escape_string function also need to specify the correct character set, otherwise there may still be problems.
prepare + execute (PDO)
ZendFramework DB class quote or quoteInto, these two methods are based on a variety of database implementations do not have methods, not like mysql_real_escape_string can only be used for mysql
User input processing
You can use the following methods without having to keep HTML tags
strip_tags, delete all the html tags in the string
htmlspecialchars, only "<", ">", ";", "" characters are escaped
htmlentities, escapes all html
You must consider the following tools if you must keep the HTML tags:
HTML Purifier: HTML Purifier is a standards-compliant HTML filter library written in PHP.
PHP HTML Sanitizer: Remove unsafe tags and attributes from HTML code
htmLawed: PHP code to purify & filter HTML
upload files
Use the is_uploaded_file and move_uploaded_file functions, using the HTTP_POST_FILES [] array. And by removing the upload directory PHP interpreter function to prevent users from uploading php script.
ZF framework can consider using the File_upload module
Session, Cookie and Form safe handling
Do not rely on cookies for core validation. Important information needs to be encrypted. Form Post previously hashes the transmitted data. For example, the form element you send out is as follows:
<input type = "hidden" name = "H [name]" value = "<? php echo $ Oname?>" /> <input type = "hidden" name = "H [age]" value = "<? php echo $ Oage?> "/> <? php $ sign = md5 ('name'. $ Oname.'age '. $ Oage. $ secret);?> <input type =" hidden "name =" hash "value = "<? php echo $ sign?>" "/>
After the POST came back to verify the parameters
$ str = "";
foreach ($ _ POST ['H'] as $ key => $ value) {
$ str. = $ key. $ value;
}
if ($ _ POST ['hash']! = md5 ($ str. $ secret)) {
echo "Hidden form data modified"; exit;
}
PHP Security Detection Tool (XSS and SQL Insertion)
Wapiti - Web application security auditor (SQL injection / XSS attack checking tool)
Installation / Usage:
apt-get install libtidy-0.99-0 python-ctypes python-utidylib
python wapiti.py http: // Your Website URL / -m GET_XSS
Pixy: XSS and SQLI Scanner for PHP (Pixy - PHP source defect analysis tools)
Installation: apt-get install default-jdk