For many years, PHP has been a stable and inexpensive platform for running web-based applications. Like most web-based platforms, PHP is vulnerable to external attacks. Developers, database architects, and system administrators should all take precautions before deploying PHP applications to servers. Most preventive measures can be accomplished with a few lines of code or slight adjustments to application settings.
1: Manage installation scripts
If the developer has installed a set of PHP scripts for third-party applications, this script is used to install the working components of the entire application , and provide an access point. Most third-party packages recommend deleting the installation scripts contained in this directory after installation. But developers wishing to keep the installation script, they can create a .htaccess file to control administrative access to the directory.
AuthName “Administrators Only” AuthUserFile /usr/local/apache/passwd/passwords Require valid-user |
2: Header file
In many cases, developers can include several scripts distributed in the application into one script. These scripts will contain an "include" directive that integrates the individual files into the original page's code. When an "include" file contains sensitive information, including usernames, passwords, and database access keys, the file should have a ".php" extension instead of the typical ".inc" extension. The ".php" extension ensures that the PHP engine will process the file and prevents any unauthorized access.
http: //www.bkjia.com/PHPjc/445674.html