Developers, database architects, and system administrators should all take precautions before deploying PHP applications to servers. Most preventive measures can be accomplished with a few lines of code or slight adjustments to application settings.
#1: Manage installation scripts
If the developer has installed a set of PHP scripts for third-party applications, this script is used to install the entire application. component and provide an access point. Most third-party packages recommend deleting the installation scripts contained in this directory after installation. But developers wishing to keep the installation script, they can create a .htaccess file to control administrative access to the directory.
AuthType Basic
AuthName “Administrators Only”
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user
Any unauthorized user who attempts to access a protected directory will see a prompt asking for a username and password. The password must match the password in the specified "passwords" file.
#2: Header Files
In many cases, developers can include several scripts distributed throughout the application into one script. These scripts will contain an "include" directive that integrates the individual files into the original page's code. When an "include" file contains sensitive information, including usernames, passwords, and database access keys, the file should have a ".php" extension instead of the typical ".inc" extension. The ".php" extension ensures that the PHP engine will process the file and prevents any unauthorized access.
#3: MD5 vs. SHA
In some cases, users end up creating their own usernames and passwords, and site administrators often do form submissions The password is encrypted and saved in the database. In years past, developers would use the MD5 (Message Digest Algorithm) function to encrypt a 128-bit string password. Today, many developers use the SHA-1 (Secure Hash Algorithm) function to create a 160-bit string.
#4: Automatic global variables
The setting contained in the php.ini file is called "register_globals". The P server will automatically create global variables for server variables and query strings based on the register_globals setting. When installing third-party software packages, such as content management software like Joomla and Drupal, the installation script will guide the user to set register_globals to "off". Changing the setting to "Off" ensures that unauthorized users cannot access data by guessing variable names and verifying passwords.
#5: Initialize variables and values
Many developers fall into the trap of instantiating variables without assigning values, possibly due to time constraints and distractions. or lack of effort. Variables during the authentication process should have values before the user login process begins. This simple step prevents users from bypassing the verification process or accessing certain areas of the site to which they do not have permission.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
