2, DB SQL preprocessing mysql_real_escape_string (Many PHPers still rely on addslashes to prevent SQL injection, but this method is still problematic for Chinese encoding. The problem with addslashes is that hackers can use 0xbf27 instead of single quotes. 0xbf27 is not a legal character in GBK encoding, so addslashes is just 0xbf5c27, becomes a valid multi-byte character, 0xbf5c will still be treated as a single quote). You also need to specify the correct character set when using the mysql_real_escape_string function, otherwise there may be problems. prepare + execute(PDO) ZendFramework can use quote or quoteInto of the DB class. These two methods are implemented according to various databases, unlike mysql_real_escape_string which can only be used for mysql. 3. Processing of user input If you don’t need to keep html tags, you can use the following method strip_tags, delete all html tags in string htmlspecialchars, only escape the characters "", ";", "'" htmlentities, escape all html If HTML tags must be preserved, consider the following tools:
4, upload file Use the is_uploaded_file and move_uploaded_file functions, using the HTTP_POST_FILES[] array. And prevent users from uploading php scripts by removing the PHP interpretation function of the upload directory. You can consider using the File_upload module under the ZF framework Secure handling of Session, Cookie and Form Do not rely on cookies for core authentication, important information needs to be encrypted, and the transmitted data must be hashed before Form Post. For example, the form element sent is as follows:
5, PHP security detection tool (XSS and SQL Insertion) Wapiti - Web application security auditor(Wapiti - Compact site vulnerability detection tool) (SQL injection/XSS attack detection tool) 6, installation/usage method:
Pixy: XSS and SQLI Scanner for PHP (Pixy - PHP source code defect analysis tool) Installation: apt-get install default-jdk Let’s just introduce these. If you can fully implement the security measures introduced above, your PHP code will be very safe. |