1. Don’t rely on the registered global variable function (register_globals)
The emergence of registered global variables once made PHP very easy to use, but it also reduced security (convenience often destroys security). It is recommended to turn off the register_globals directive when programming. This function will also be canceled in PHP6.
2. Initialize variables before using them.
If the register_globals function is enabled, even if the programmer does not use it, malicious users may exploit the vulnerability of initializing variables to invade our system. For example:
if(conditon){
$auth=TRUE;
}
If the variable $auth has not been initialized to FALSE before this paragraph , then the user can pass $_GET['auth'], $_POST['auth'] or $_COOKIE['auth'] to the script to easily achieve verification.
3. Verify and purify all input data.
4. Be careful when using variables to reference included files.
If there is code like this in the script:
require($page);
Then you should make sure that $page does not come from external resources (such as $_GET ), or, if it does come from an external source, make sure it contains the appropriate value.
5. Be careful when using any function that executes commands on the server.
These functions include eval(), exec(), system(), passthru(), popen(), and backtick(``). These functions can execute commands on the server and should never be used casually. If you have to include a variable in a command, you should perform a thorough security check on the variable. You should also use escapeshellarg() escapeshellcom() for additional preprocessing.
6. Change the default session directory, or use a database to save session data.
7. Do not save uploaded files on the server using the file name provided by the browser.
8. If the submitted data needs to be re-displayed in the web page, be sure to pay attention to the HTML, and more importantly, JAVASCRIPT
can be used Function
string htmlspecialchars (string string [, int quote_style [, string charset]])
process the submitted data
9. Do not expose your PHP error messages on the site
PHP error messages can output error messages during your development process to facilitate your inspection, but if exposed on the Web, you can easily become an attacker. entrance.
10. Prevent SQL injection attacks.
You should use language-specific database escape functions, such as mysqli_real_escape_data(), to ensure that the submitted content does not break the query operation.
11. Never save phpinfo() scripts on the server.