PHP code security and XSS, SQL injection, etc. are very useful for the security of various websites, especially UGC (User Generated Content) websites, forums and e-commerce websites, which are often the hardest hit areas of XSS and SQL injection. Here is a brief introduction to some basic programming points. Compared with system security, PHP security prevention requires programmers to be more careful about various parameters entered by users.
Security in the PHP compilation process
It is recommended to install Suhosin patch, must install security patch
php.ini security settings
register_global = off
magic_quotes_gpc = off
display_error = off
log_error = on
# allow_url_fopen = off
expose_php = off
open_basedir =
safe_mode = on
disable_function = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source,get_cfg_var
safe_mode_include_dir =
DB SQL preprocessing
mysql_real_escape_string (Many PHPers still rely on addslashes to prevent SQL injection, but this method is still problematic for Chinese encoding. The problem with addslashes is that hackers can use 0xbf27 to replace single quotes, 0xbf27 is not a legal character in GBK encoding, so addslashes just converts 0xbf5c27 into a valid multi-byte character, in which 0xbf5c will still be regarded as a single quote, see this article for details). You also need to specify the correct character set when using the mysql_real_escape_string function, otherwise there may still be problems.
prepare + execute(PDO)
ZendFramework can use quote or quoteInto of the DB class. These two methods are implemented according to various databases, unlike mysql_real_escape_string which can only be used for mysql
Processing of user input
If you do not need to retain HTML tags, you can use the following method
strip_tags, delete all html tags in string
htmlspecialchars, only for "<",">","; ","'" characters are escaped
htmlentities, and all html are escaped
If HTML tags must be retained, the following tools can be considered:
HTML Purifier: HTML Purifier is a standards-compliant HTML filter library written in PHP.
PHP HTML Sanitizer: Remove unsafe tags and attributes from HTML code
htmLawed: PHP code to purify & filter HTML
Upload files
Use is_uploaded_file and move_uploaded_file functions , using the HTTP_POST_FILES[] array. And prevent users from uploading php scripts by removing the PHP interpretation function of the upload directory.
You can consider using the File_upload module under the ZF framework
Secure processing of Session, Cookie and Form
Do not rely on cookies for core verification, important information needs to be encrypted, and the transmitted data is hashed before Form Post. For example, the form element you send is as follows:
Program code
Verify the parameters after POST comes back
Program code
Copy code The code is as follows:
$str = "";
foreach($_POST['H'] as $key=>$ value) {
$str .= $key.$value;
}
if($_POST['hash'] != md5($str.$secret)) {
echo "Hidden form data modified"; exit;
}
PHP security detection tool (XSS and SQL Insertion)
Wapiti - Web application security auditor(Wapiti - Compact site vulnerability detection Tool) (SQL injection/XSS attack checking tool)
Installation/usage method:
apt-get install libtidy-0.99-0 python-ctypes python-utidylib
python wapiti.py http://Your Website URL/ -m GET_XSS
Pixy: , XSS detection function is strong)
PHPIDS - PHP intrusion detection system
http://www.bkjia.com/PHPjc/324450.html