Analysis of key points of PHP security protection_PHP tutorial-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

Analysis of key points of PHP security protection_PHP tutorial

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jul 15, 2016 pm 01:35 PM

php web trust about analyze external safety Security app data yes of Main points

The first thing that must be realized about web application security is that external data should not be trusted. External data includes any data that is not entered directly by the programmer into the PHP code. Any data from any other source (such as GET variables, form POST, databases, configuration files, session variables, or cookies) cannot be trusted until steps are taken to ensure security.

For example, the following data elements can be considered safe because they are set in PHP.

PHP Security Protection Checklist 1. Safe and flawless code

<ol class="dp-xml"><li class="alt"><span><span class="tag"><</span><span> ?php  </span></span></li><li><span>$</span><span class="attribute">myUsername</span><span> = &lsquo;tmyer&rsquo;;  </span></li><li class="alt"><span>$</span><span class="attribute-value">array</span><span class="attribute">arrayUsers</span><span> = array<br />(&rsquo;tmyer&rsquo;, &lsquo;tom&rsquo;, &lsquo;tommy&rsquo;);  </span></li><li><span>define(&rdquo;GREETING&rdquo;, &lsquo;hello<br /> there&rsquo; . $myUsername);  </span></li><li class="alt"><span class="tag">?></span><span> </span></span></li></ol>

Copy after login

However, the following data elements are all flawed.

PHP Security Protection Checklist 2. Unsafe and Flawed Code

<ol class="dp-xml"><li class="alt"><span><span class="tag"><</span><span> ?php  </span></span></li><li><span>$</span><span class="attribute">myUsername</span><span> = $_POST[&rsquo;username&rsquo;]; <br />//tainted!  </span></li><li class="alt"><span>$</span><span class="attribute-value">array</span><span class="attribute">arrayUsers</span><span> = array($my<br />Username, &lsquo;tom&rsquo;, &lsquo;tommy&rsquo;); <br />//tainted!  </span></li><li><span>define(&rdquo;GREETING&rdquo;, &lsquo;hello there&rsquo; <br />. $myUsername); //tainted!  </span></li><li class="alt"><span class="tag">?></span><span> </span></span></li></ol>

Copy after login

Why is the first variable $myUsername defective? of? Because it comes directly from the form POST. Users can enter any string into this input field, including malicious commands to clean files or run previously uploaded files.

You may ask, "Can't you avoid this danger by using a client-side (Javascrīpt) form validation script that only accepts the letters A-Z?" Yes, this is always a beneficial step, but as As we'll see later, anyone can download any form to their own machine, modify it, and resubmit whatever they need.

The solution is simple: the sanitization code must be run on $_POST[’username’]. If you don't do this, you risk polluting these objects any other time you use $myUsername (such as in an array or constant).

A simple way to sanitize user input is to use regular expressions to process it. In this example, only letters are expected to be accepted. It might also be a good idea to limit the string to a specific number of characters, or require all letters to be lowercase.

PHP Security Protection Checklist 3. Make user input safe

<ol class="dp-xml"><li class="alt"><span><span class="tag"><</span><span> ?php  </span></span></li><li><span>$</span><span class="attribute">myUsername</span><span> = </span><span class="attribute-value">cleanInput</span><span>($_<br />POST[&rsquo;username&rsquo;]); //clean!  </span></li><li class="alt"><span>$</span><span class="attribute-value">array</span><span class="attribute">arrayUsers</span><span> = array(<br />$myUsername, &lsquo;tom&rsquo;, &lsquo;tommy&rsquo;); //clean!  </span></li><li><span>define(&rdquo;GREETING&rdquo;, &lsquo;hello <br />there&rsquo; . $myUsername); //clean!  </span></li><li class="alt"><span>function cleanInput($input){  </span></li><li><span>$</span><span class="attribute">clean</span><span> = </span><span class="attribute-value">strtolower</span><span>($input);  </span></li><li class="alt"><span>$</span><span class="attribute">clean</span><span> = </span><span class="attribute-value">preg_replace</span><span>(&rdquo;/[^a-z]<br />/&rdquo;, &ldquo;&rdquo;, $clean);  </span></li><li><span>$</span><span class="attribute">clean</span><span> = </span><span class="attribute-value">substr</span><span>($clean,0,12);  </span></li><li class="alt"><span>return $clean;  </span></li><li><span>}  </span></li><li class="alt"><span class="tag">?></span><span> </span></span></li></ol>

Copy after login

The above is an explanation of relevant techniques for PHP security protection.

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

How Long Does It Take To Beat Split Fiction?

4 weeks ago By DDD

R.E.P.O. Save File Location: Where Is It & How to Protect It?

1 months ago By DDD

R.E.P.O. Best Graphic Settings

2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. How to Fix Audio if You Can't Hear Anyone

2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7385

Java Tutorial

1629

CakePHP Tutorial

1357

Laravel Tutorial

1267

PHP Tutorial

1216

Related knowledge

CakePHP Project Configuration Sep 10, 2024 pm 05:25 PM

In this chapter, we will understand the Environment Variables, General Configuration, Database Configuration and Email Configuration in CakePHP.

PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian Dec 24, 2024 pm 04:42 PM

PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati

CakePHP Date and Time Sep 10, 2024 pm 05:27 PM

To work with date and time in cakephp4, we are going to make use of the available FrozenTime class.

CakePHP File upload Sep 10, 2024 pm 05:27 PM

To work on file upload we are going to use the form helper. Here, is an example for file upload.

CakePHP Routing Sep 10, 2024 pm 05:25 PM

In this chapter, we are going to learn the following topics related to routing ?

Discuss CakePHP Sep 10, 2024 pm 05:28 PM

CakePHP is an open-source framework for PHP. It is intended to make developing, deploying and maintaining applications much easier. CakePHP is based on a MVC-like architecture that is both powerful and easy to grasp. Models, Views, and Controllers gu

CakePHP Creating Validators Sep 10, 2024 pm 05:26 PM

Validator can be created by adding the following two lines in the controller.

CakePHP Working with Database Sep 10, 2024 pm 05:25 PM

Working with database in CakePHP is very easy. We will understand the CRUD (Create, Read, Update, Delete) operations in this chapter.

See all articles