Website anti-injection and hang-up PHP.INI security settings

When you want to prevent page attacks, you can include the anti-attack file in the header of the page, just like universal anti-injection file. We can do it in three ways:
1, in each document reference. Such a file is fine, but not convenient if there are hundreds of files in a website.
2, reference in the included file, such as config.inc.php tutorial. This is a good way, but also the more popular way on the market today.
3, referenced in php.ini. Cited in the configuration file, it will affect all sites, including all the pages, it is like some of the popular free space business that year, when you open a free ftp space, upload the site, there will be space ads. Do not know if this is the way, but the purpose is the same. The benefits of doing so is: if it is a company or an enterprise website, that is safe, easy to maintain.

The first two methods we all know, the third is in php.ini, find this section:

automatically add files before or after any php document.
; auto_prepend_file = "phpids.php"
; auto_append_file = "alert.php" default is empty, please add the included file.
Also found:

; unix: "/ path1: / path2"
; include_path = ".: / php / includes"
;
; windows: "path1; path2"
include_path = ".; f: phpnowhtdocs"
Because I win environment, so open the windows option, including the path can be freely modified. At the same time, this function also contributed to the convenience of our attack, such as hanging horse. Now there are many hanging horse skills in the "market", so I will not say more. We can use the auto_prepend_file option to hang in batches, you can hang the entire site on the server, the advantage is: does not affect the speed, do not modify the file, the method is novel. Disadvantages: php.ini must have write permission.