1. File system security
If php has root permissions and allows users to delete files in the script, then the user submits data without filtering, and it is very likely to delete system files
//Delete the specified file from the user directory
$username = $_POST['user_submitted_name'];
$userfile = $_POST['user_submitted_filename'];
$homedir = "/home/$username";
unlink ("$homedir/$userfile");
echo "The file has been deleted!";
?>
the above Code, assuming that the $userfile value submitted by the user is ../etc/, then the /etc directory will be deleted
To prevent file system attacks, the strategy is as follows
Only give PHP limited permissions
Variables submitted by users must be monitored and filtered, and cannot contain special characters such as file paths
Try to avoid using PHP to operate files (delete). If there is a need for this, then User-deletable files must also have random names generated by the system and cannot be controlled by the user
2. Database security
Database security mainly prevents sql injection, that is, sql injection attacks, to improve database security The strategy is as follows:
You don’t need to use the root account or the database owner account to connect to the database. Connecting to the database limits the IP of the connecting user
Using php’s pdo extension to effectively prevent sql injection. In addition to security advantages, php’s pdo extension has performance advantages There are great advantages
Please refer to http://php.net/manual/en/pdo.prepared-statements.php
Encrypt some sensitive information, common ones such as password encryption
3. User data filtering
Filtering user data can prevent XSS and CSRF attacks
Use a whitelist (user input is a fixed pattern)
For example, the user name can only use numbers and letters, then you can use the function ctype_alnum to judge
Use the function htmlentities or htmlspecialchars to process the user input. If the input url does not Allow incoming non-http protocols
User authentication uses token token (csrf)
http://htmlpurifier.org/ HTML Purifier is an open source effective solution to prevent XSS attacks,
Four , other security policies
Turn off error reporting (error_reporting, dislay_erros, error_log path can be configured in php.ini to record error information, which will help detect possible user attacks) in the online environment
Register Globals , deprecated (removed) features, do not use the
magic quotes feature, do not enable it, it has been removed in PHP-5.4
Try to use the latest version of PHP, the latest version fixes many known security issues Vulnerabilities and bugs
Strictly abiding by the above strategies in the code can basically ensure that the code will not have too many security vulnerabilities and can prevent common attacks.