Do you know the four major security strategies of PHP?

This article mainly introduces file system security, database security, user data security and other security-related issues in PHP. Friends in need can refer to the following

1. File system security
If php has root permissions and allows users to delete files in the script, then the user will very likely delete the system files if the user submits data without filtering

<?php
// 从用户目录中删除指定的文件
$username = $_POST[&#39;user_submitted_name&#39;];
$userfile = $_POST[&#39;user_submitted_filename&#39;];
$homedir = "/home/$username";
unlink ("$homedir/$userfile");
echo "The file has been deleted!";
?>

In the above code, assuming that the $userfile value submitted by the user is ../etc/, then the /etc directory will be deleted
To prevent file system attacks, the strategy is as follows

Only Give php limited permissions
Variables submitted by users must be monitored and filtered, and cannot contain special characters such as file paths
Try to avoid using PHP to operate files (deletion). If there is a need for this, the user can delete the file It must also be a random name generated by the system and cannot be controlled by the user
2. Database security
Database security mainly prevents SQL injection, that is, SQL injection attacks. The strategies to improve database security are as follows:

No need to use the root account or database owner accountConnect to the database, connect to the database to limit the IP of the connecting user
Use the pdo extension of php to effectively prevent sql injection, in addition to security advantages , php's pdo extension has great advantages in performance
Please refer to http://php.net/manual/en/pdo.prepared-statements.php
Encrypt some sensitive information, common ones such as Encrypt passwords
3. User data filtering
Filtering user data can prevent XSS and CSRF attacks

Use a whitelist (user input is a fixed pattern)
For example, the user name can only use numbers and letters, then you can use the function ctype_alnum to determine
Use the function htmlentities or htmlspecialchars to process the user input, and the input url is not allowed to be passed in Non-http protocol
User authentication uses token token(csrf)
http://htmlpurifier.org/ HTML Purifier is an open source effective solution to prevent XSS attacks.
4. Other security Strategy
Turn off error reporting in the online environment (error_reporting,dislay_erros, you can configure the error_log path in php.ini to record error information, which will help detect possible user attacks)
Register Globals, deprecated (removed) features, do not use
Magic quotes feature, do not enable it, it has been removed in PHP-5.4
Try to use the latest version of PHP, the latest version fixes known Many security vulnerabilities and bugs
Strictly adhere to the above strategies in the code, which can basically ensure that the code will not have too many security vulnerabilities and can prevent common attacks.

The above is the detailed content of Do you know the four major security strategies of PHP?. For more information, please follow other related articles on the PHP Chinese website!