PHP applications are often hacked because:
There are too many PHP applications.
It is easy to learn and write.
Bad PHP is also easy to write.
It’s that simple. PHP has been popular for many years. The more popular PHP becomes, the more vulnerabilities are discovered. The vulnerabilities discovered by these hackers are rarely in the PHP processing engine itself, but are usually weaknesses in the script itself.
This means that when a PHP application is hacked, it is mostly the programmer's fault. Sorry, but it's true.
You can write secure PHP just like other web languages. It's time to start really exploring security issues.
The best protection against PHP hacks
Writing secure PHP code is not a secret black art hidden from PHP developers. But confidence is so fragmented that you need to spend weeks or months (or not so long) gathering some loose catalog or rule of thumb on good security practices. Only true experience will tell you how important it is.
Fortunately, Ben Edmunds has done it for you. It recently published Building Secure PHP Apps – a Practical Guide, which is one of the best security-related books I’ve ever read, and certainly the best coverage of PHP. In this article I'll detail why I think every PHP developer should read it.
This book is a concise guide that will take you to the next level as a developer, allowing you to create better, more secure scripts.
Introduction
This book quickly gets into the common-sense rules of web development: don’t trust your users, and filter all input. Start with a small scenario and jump to the technical methods by which users can enter the system. The topics in the first chapter are:
SQL injection
A large number of assigned fields
Type conversion
Filtering input/output
These are areas that PHP newbies (and some veterans) have always easily overlooked. Filtering input is considered an optional step by many and is discussed extensively in this chapter.
While reading, I was reminded of my first day at work many years ago, when I dug deep into the existing code and found the code for the new user creation script:
if ($_POST["isadmin"] == 1) {
// code to set to admin in database
}I felt very excited when I saw this code Panic, because it's a very efficient script that could easily be exploited by a malicious user to guess and insert a simple form variable to access approximately 5,000 credit card numbers and other personal information.
Digging deeper I found the following code:
$sql = "INSERT INTO database (id,name,...) VALUES (" . $_POST["Name"] . ");"I pretty much walked out of that job on the first day because they were relying on this horrible code. The code is there, and it's your responsibility to change it to avoid creating more.
This chapter discusses why code like this is a huge risk and how to fix it.
HTTPS and Certificates
This is another area where Ben includes scripts, stories and a bit of humor while also clearly explaining the less clear concept of HTTPS. He explains it in a way that even your boss can understand.
This book very comprehensively describes how certificates work, certificate types, and implementation methods, even including how to deploy them on Apache or Nginx.
Passwords
This book carefully explains passwords, hashes, lookup tables, and salts, which is incredibly helpful for developers creating user login systems.
This is an area that was sorely lacking even in 2014. I still come across apps that store passwords in plain text or use stupid methods like ROT13 encryption to protect them. For the sake of keeping people using your app, and your good name, don't do this.
Passwords and other sensitive data should be very difficult to obtain, or even someone could gain full access to the database. This book is very comprehensive and will give you good guidance on designing better systems.
Authentication and Access Control
This book covers a very comprehensive range of topics. When you build a new PHP application, some of the top considerations are:
Who has access to which resources?
Who can control other users’ access?
This is an important place to think about applications, especially applications that handle sensitive data. A considerable part of the development in the enterprise is dedicated to this. If you don't set up authentication and access control correctly, the most likely thing that will happen is that you confuse users and create more work. Even worse than this are server data gaps and/or data corruption.
This book does a good job of covering the basics, and then it dives into things like controlling access to files or individual pages of an application, with lots of code examples for reference.
Specific Exploits
This book covers some common exploits to compromise a system, exploring cross-site scripting in great detail, which is arguably the most common way attackers exploit applications. It explains the different kinds of attacks and how to protect yourself.
Not bad, right? You can purchase books at a discount through this link!
What I loved most about this book
What I really enjoyed while reading this book is how the information is presented in a way that is useful for both beginners and experienced programmers. There is a range of concepts presented, what they are and how to protect yourself. There are plenty of code examples, not the "padding" that some technical books have.
You can read through this book quickly because there is not much content. Novices can read through this book, examine each topic, start looking at their code, and make corrections. Remember that in this matter, you need to keep revising. If you look back and you're ashamed of the code you wrote six months ago, you're doing the right thing.
More advanced, experienced programmers can use this guide to fill in their weaknesses (admit it, no matter how long you’ve been in this industry, you have weaknesses) and better understand the systems they use in their work. . For example, I've used authentication like crazy for years, but never thought about it at the level that this book covers.
No matter who you are, you will learn something. So stop reading this article and go buy a copy! Use this link to purchase and get a discount! !
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
