Home > Backend Development > PHP Tutorial > Security precautions for PHP programming

Security precautions for PHP programming

WBOY
Release: 2016-07-25 08:59:06
Original
1080 people have browsed it
  1. register_global = off
  2. magic_quotes_gpc = off
  3. display_error = off
  4. log_error = on
  5. # allow_url_fopen = off
  6. expose_php = off
  7. open_basedir =
  8. safe_mode = on
  9. disable_function = exec,system,passthru,shell_exec ,escapeshellarg,escapeshellcmd ,proc_close,proc_open,dl,popen,show_source,get_cfg_var
  10. safe_mode_include_dir =
Copy code

2, DB SQL preprocessing mysql_real_escape_string (Many PHPers still rely on addslashes to prevent SQL injection, but this method is still problematic for Chinese encoding. The problem with addslashes is that hackers can use 0xbf27 instead of single quotes. 0xbf27 is not a legal character in GBK encoding, so addslashes is just 0xbf5c27, becomes a valid multi-byte character, 0xbf5c will still be treated as a single quote). You also need to specify the correct character set when using the mysql_real_escape_string function, otherwise there may be problems.

prepare + execute(PDO) ZendFramework can use quote or quoteInto of the DB class. These two methods are implemented according to various databases, unlike mysql_real_escape_string which can only be used for mysql.

3. Processing of user input If you don’t need to keep html tags, you can use the following method strip_tags, delete all html tags in string htmlspecialchars, only escape the characters "", ";", "'" htmlentities, escape all html If HTML tags must be preserved, consider the following tools:

  1. HTML Purifier: HTML Purifier is a standards-compliant HTML filter library written in PHP.
  2. PHP HTML Sanitizer: Remove unsafe tags and attributes from HTML code
  3. htmLawed: PHP code to purify & filter HTML
Copy Code

4, upload file Use the is_uploaded_file and move_uploaded_file functions, using the HTTP_POST_FILES[] array. And prevent users from uploading php scripts by removing the PHP interpretation function of the upload directory. You can consider using the File_upload module under the ZF framework Secure handling of Session, Cookie and Form Do not rely on cookies for core authentication, important information needs to be encrypted, and the transmitted data must be hashed before Form Post. For example, the form element sent is as follows:

  1. Verify the parameters after returning from POST
  2. $str = "";
  3. foreach ($_POST['H'] as $key=>$value) {
  4. $str .= $key.$value;
  5. }
  6. if($_POST['hash'] != md5($str.$secret )) {
  7. echo "Hidden form data modified"; exit;
  8. }
Copy code

5, PHP security detection tool (XSS and SQL Insertion) Wapiti - Web application security auditor(Wapiti - Compact site vulnerability detection tool) (SQL injection/XSS attack detection tool)

6, installation/usage method:

  1. apt-get install libtidy-0.99-0 python-ctypes python-utidylib
  2. python wapiti.py http://Your Website URL/ -m GET_XSS
Copy code

Pixy: XSS and SQLI Scanner for PHP (Pixy - PHP source code defect analysis tool) Installation: apt-get install default-jdk

Let’s just introduce these. If you can fully implement the security measures introduced above, your PHP code will be very safe.



Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template