创建高安全性PHP网站的几个实用要点，安全性php实用要点-php手册-php.cn

Table of Contents

创建高安全性PHP网站的几个实用要点，安全性php实用要点

　技巧1：使用合适的错误报告

　技巧2：不使用PHP的Weak属性

　技巧3:验证用户输入

　技巧4：避免用户进行交叉站点脚本攻击

　技巧5：预防SQL注入攻击

Home

php教程

php手册

创建高安全性PHP网站的几个实用要点，安全性php实用要点

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 13, 2016 am 09:19 AM

php several create safety practical net Main points high

创建高安全性PHP网站的几个实用要点，安全性php实用要点

大家都知道PHP已经是当前最流行的Web应用编程语言了。但是也与其他脚本语言一样，PHP也有几个很危险的安全漏洞。所以在这篇教学文章中，我们将大致看看几个实用的技巧来让你避免一些常见的PHP安全问题。

　技巧1：使用合适的错误报告

　　一般在开发过程中，很多程序员总是忘了制作程序错误报告，这是极大的错误，因为恰当的错误报告不仅仅是最好的调试工具，也是极佳的安全漏洞检测工具，这能让你把应用真正上线前尽可能找出你将会遇到的问题。

　　当然也有很多方式去启用错误报告。比如在 php.in 配置文件中你可以设置在运行时启用

　　启动错误报告

error_reporting(E_ALL);

Copy after login

　　停用错误报告

error_reporting(0);

Copy after login

　技巧2：不使用PHP的Weak属性

　　有几个PHP的属性是需要被设置为OFF的。一般它们都存在于PHP4里面，而在PHP5中是不推荐使用的。尤其最后在PHP6里面，这些属性都被移除了。

　　注册全局变量

　　当 register_globals 被设置为ON时，就相当于设置Environment，GET,POST,COOKIE或者Server变量都定义为全局变量。此时你根本不需要去写 $_POST['username']来获取表单变量'username'，只需要'$username'就能获取此变量了。

　　那么你肯定在想既然设置 register_globals 为 ON 有这么方便的好处，那为什么不要使用呢？因为如果你这样做将会带来很多安全性的问题，而且也可能与局部变量名称相冲突。

　　比如先看看下面的代码：

if( !empty( $_POST['username'] ) && $_POST['username'] == &lsquo;test123&prime; && !empty( $_POST['password'] ) && $_POST['password'] == &ldquo;pass123&Prime; )
{
$access = true;
}

Copy after login

　　如果运行期间, register_globals 被设置为ON，那么用户只需要传输 access=1 在一句查询字符串中就能获取到PHP脚本运行的任何东西了。

　　在.htaccess中停用全局变量

php_flag register_globals 0

Copy after login

　　在php.ini中停用全局变量

register_globals = Off

Copy after login

　　停用类似 magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase 这些Magic Quotes

　　在.htaccess文件中设置

php_flag magic_quotes_gpc 0
php_flag magic_quotes_runtime 0

Copy after login

　　在php.ini中设置

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

Copy after login

　技巧3:验证用户输入

　　你当然也可以验证用户的输入，首先必须知道你期望用户输入的数据类型。这样就能在浏览器端做好防御用户恶意攻击你的准备。

　技巧4：避免用户进行交叉站点脚本攻击

　　在Web应用中，都是简单地接受用户输入表单然后反馈结果。在接受用户输入时，如果允许HTML格式输入将是非常危险的事情，因为这也就允许了JavaScript以不可预料的方式侵入后直接执行。哪怕只要有一个这样漏洞，cookie数据都可能被盗取进而导致用户的账户被盗取。

　技巧5：预防SQL注入攻击

　　PHP基本没有提供任何工具来保护你的数据库，所以当你连接数据库时，你可以使用下面这个mysqli_real_escape_string 函数。

$username = mysqli_real_escape_string( $GET['username'] );
mysql_query( &ldquo;SELECT * FROM tbl_employee WHERE username = &rsquo;&rdquo;.$username.&ldquo;&lsquo;&rdquo;);

Copy after login

　　好了，在这篇简短的文章中，我们阐述了几个开发过程中不能忽视的PHP安全性问题。但是最终是否使用，如何使用还是开发人员来决定的。希望这篇文章能帮助到你们。

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Best Graphic Settings

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Assassin's Creed Shadows: Seashell Riddle Solution

2 weeks ago By DDD

R.E.P.O. How to Fix Audio if You Can't Hear Anyone

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

WWE 2K25: How To Unlock Everything In MyRise

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7455

CakePHP Tutorial

1375

What is the format of the account name of steam

win11 activation key permanent

nyt connections hints and answers

Related knowledge

PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian Dec 24, 2024 pm 04:42 PM

PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati

CakePHP Working with Database Sep 10, 2024 pm 05:25 PM

Working with database in CakePHP is very easy. We will understand the CRUD (Create, Read, Update, Delete) operations in this chapter.

CakePHP Date and Time Sep 10, 2024 pm 05:27 PM

To work with date and time in cakephp4, we are going to make use of the available FrozenTime class.

CakePHP File upload Sep 10, 2024 pm 05:27 PM

To work on file upload we are going to use the form helper. Here, is an example for file upload.

Discuss CakePHP Sep 10, 2024 pm 05:28 PM

CakePHP is an open-source framework for PHP. It is intended to make developing, deploying and maintaining applications much easier. CakePHP is based on a MVC-like architecture that is both powerful and easy to grasp. Models, Views, and Controllers gu

CakePHP Creating Validators Sep 10, 2024 pm 05:26 PM

Validator can be created by adding the following two lines in the controller.

CakePHP Logging Sep 10, 2024 pm 05:26 PM

Logging in CakePHP is a very easy task. You just have to use one function. You can log errors, exceptions, user activities, action taken by users, for any background process like cronjob. Logging data in CakePHP is easy. The log() function is provide

How To Set Up Visual Studio Code (VS Code) for PHP Development Dec 20, 2024 am 11:31 AM

Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c

See all articles