Home > Backend Development > PHP Tutorial > Some PHP development security issues compiled

Some PHP development security issues compiled

不言
Release: 2023-03-23 08:24:02
Original
2611 people have browsed it

Sorting out some PHP development security issues



# # PHP gives developers great flexibility, but it also brings potential hidden dangers to security issues. In the near future, we need to summarize past problems. Here I will translate an article and add some feelings about my own development to summarize it. .






## Introduction


When developing an Internet service, you must always keep the concept of security in mind and reflected in the developed code. The PHP scripting language is not concerned about security issues, especially for most inexperienced developers. Whenever you talk about any transaction involving money matters, you need to pay special attention to security considerations, such as developing a forum or a shopping cart.



General points on security protection


Don’t trust the form

For general Javascript front-end verification, since the user’s behavior cannot be known, For example, turning off the browser's JavaScript engine will POST malicious data to the server. Verification needs to be done on the server side, verifying the data passed to each php script to prevent XSS attacks and SQL injection


Do not trust the user

Make the assumption that your website receives every Every piece of data contains malicious code and contains hidden threats. Each piece of data must be cleaned.


Close global variables

Perform the following configuration in the php.ini file:


register_globals = Off
Copy after login

If this configuration option is turned on, there will be great security risks. For example, there is a process.php script file that will insert the received data into the database. The form for receiving user input data may be as follows:


<input name="username" type="text" size="15" maxlength="64">
Copy after login

In this way, After submitting data to process.php, PHP will register a $username variable and submit this variable data to process.php. At the same time, such a variable will be set for any POST or GET request parameters. If initialization is not displayed, the following problem will occur (reference: http://www.lai18.com/content/434606.html)


<?php
// Define $authorized = true only if user is authenticated
if (authenticated_user()) {
    $authorized = true;
}
?>
Copy after login

Here, it is assumed that the authenticated_user function determines the value of the $authorized variable. If the register_globals configuration is turned on, then any user can send a request to set the value of the $authorized variable to any value to bypass this verification.

All these submission data should be obtained through PHP's predefined built-in global array, including $_POST, $_GET, $_FILES, $_SERVER, $_REQUEST, etc., where $_REQUEST is a $_GET/$ _POST/$_COOKIE is a joint variable of the three arrays. The default order is $_COOKIE, $_POST, and $_GET.


Recommended security configuration options

Set error_reporting to Off: Do not expose error information to users. You can set it to ON during development

Set safe_mode to Off

Set register_globals to Off

Disable the following functions: system, exec, passthru, shell_exec, proc_open, popen

Set open_basedir to /tmp, so that session information can be stored Permissions, and set a separate website root directory

Expose_php is set to Off

Allow_url_fopen is set to Off

Allow_url_include is set to Off



 SQL injection attack


For SQL statements that operate the database, special attention needs to be paid to security, because users may enter specific statements that cause the original SQL statements to change their functions. Similar to the following example:




Extended reading

"PHP Security Programming Series" series of technical articles are organized and collected

PHP Security Programming Series Favorites collects knowledge about PHP security programming and provides a learning reference for PHP security programming

1discuz’s php prevent sql injection function

2php method to prevent xss attacks

3PHP safe programming: Escape the output

4PHP safe programming: Filter user input

##5PHP safe Programming: Usability and data tracking

6PHP safe programming: Don’t let irrelevant people see the error message

7PHP secure programming: security of register_globals

8PHP secure programming: some principles of website security design

9PHP security Programming: About form spoofing submission

10PHP safe programming: HTTP request spoofing

##11PHP safe programming: don’t expose the database Access permissions


12PHP security programming: Cross-site request forgery CSRF defense


13PHP security programming: forms and data Security


#14PHP security programming: Attack from the semantics of the URL


15PHP security programming: defense against file upload attacks


16PHP security programming: defense against cross-site scripting attacks


17PHP security programming: session fixed to obtain legal session


18PHP security programming: preventing SQL injection


##19PHP security programming: cookie exposure leads to session hijacking


20PHP secure programming: prevent source code exposure


21PHP secure programming: pay attention to backdoor URLs


22PHP security programming: defense against session hijacking


23PHP security programming: brute force attack


24PHP Secure Programming: Password Sniffing and Replay Attacks


25PHP Secure Programming: Safe Practices for Remembering Login Status


26PHP Secure Programming: Shell Command Injection


27PHP Secure Programming: Risks of Opening Remote Files


28PHP Secure programming: File directory guessing vulnerability


29PHP secure programming: Prevent file names from being manipulated


30PHP secure programming: File Contains Code Injection Attack


31PHP Secure Programming: Better Session Data Security


32PHP Secure Programming: Source code security of shared hosting


33PHP security programming: session data injection


34PHP security programming: host file directory browsing


35PHP safe programming: PHP’s safe mode


36php safety uses $ to get the value directly instead of $_GET Character escaping


37php prevent vulnerability strategies and create high-performance web


38What XSS attack? PHP prevent XSS attack function


39 Parsing PHP method to prevent form from repeated submission


40php security dog ​​tail continued mink

41PHP prevents cross-domain form submission

42php prevents SQL injection detailed explanation and prevention

##43php Prevent sql injection code examples

44php Prevent sql injection example analysis and several common attack regular expressions

45PHP Security: Prevent your source code or important configuration information from being exposed

46 A simple example of PHP preventing repeated submission of data

47php Methods to prevent forged data from being submitted from URL

48PHP Summary of several common methods to prevent repeated submission of forms

49php method to prevent forged data from being submitted from the address bar URL

50php method to prevent remote form submission from outside the site

51php Example of filtering paging parameters to prevent sql injection

52PHP security attacks and solutions that may be encountered when installing in Apache mode

53 File system security and preventive measures for PHP security

54 File system security for PHP security - Null character problem

55PHP security database security - SQL injection and preventive measures

56PHP security introduction and general principles

57PHP Security: Possible attacks and solutions when installing in CGI mode

##58PHP Security: User-submitted data


59PHP Security Database Security - Design, Connection and Encryption


##60PHP Security Magic Quotes - What are magic quotes and how to use them


61PHP Security Hidden PHP Script Extension


62PHP Security Use Register Globals


63PHP security error report


64php method to prevent malicious refresh and ticket brushing


65php Summary of methods to prevent the website from being refreshed


66 Summary of common security vulnerabilities in PHP websites and corresponding preventive measures

Related recommendations:

Related summary of security issues in PHP development_PHP tutorial

The above is the detailed content of Some PHP development security issues compiled. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template