Some advice on secure programming in PHP
Introduction
To provide Internet services, you must always maintain security awareness when developing code. It's possible that most PHP scripts don't care about security issues, largely because there are so many inexperienced programmers using the language. However, there is no reason why you should have inconsistent security policies because of uncertainty about your code. When you put anything involving money on a server, there's a chance someone will try to hack it. Create a forum program or any form of shopping cart, and the possibility of being attacked increases to infinite.
Recommended PHP video tutorial: https://www.php.cn/course/list/29/type/2.html
Background
To ensure the security of your web content, here are some general security guidelines:
1. Don’t trust form
attacks The form is simple. By using a simple JavaScript trick, you can limit your form to only allow numbers from 1 to 5 in the rating field. If someone turns off their browser's JavaScript functionality or submits custom form data, your client-side validation will fail.
Users interact with your script primarily through form parameters, so they are the biggest security risk. What should you learn? In PHP scripts, always validate the data passed to any PHP script. In this article, we show you how to analyze and protect against cross-site scripting (XSS) attacks, which can hijack user credentials (or even worse). You'll also see how to prevent MySQL injection attacks that can taint or destroy your data.
2. Don’t believe users
Assume that every piece of data obtained by your website is full of harmful code. Clean up every part, even if you believe no one will try to hack your site.
3. Turn off global variables
The biggest security hole you may have is enabling the register_globals configuration parameter. Fortunately, PHP 4.2 and later disable this configuration by default. If register_globals is turned on, you can turn off this feature by changing the register_globals variable to Off in your php.ini file:
register_globals = Off
Novice programmers feel that registering globals Variables are convenient, but they won't realize how dangerous this setup can be. A server with global variables enabled will automatically assign any form of parameter to the global variable. To understand how it works and why it's dangerous, let's look at an example.
Suppose you have a script called process.php that inserts form data into your database. The initial form looks like this:
<input name="username" type="text" size="15" maxlength="64">
When running process.php , PHP with registered global variables enabled will assign the parameter to the $username variable. This will save keystrokes compared to accessing it via $_POST['username'] or $_GET['username']. Unfortunately, this also leaves you with a security problem, because PHP will set the value of the variable to whatever value is sent to the script via GET or POST parameters if you don't explicitly initialize the variable and you don't want anyone to To operate it, there will be a big problem.
Look at the script below. If the value of the $authorized variable is true, it will display the verified data to the user. Normally, the value of the $authorized variable will be set to true only if the user correctly passes this hypothetical authenticated_user() function verification. But if you enable register_globals, anyone can send a GET parameter such as authorized=1 to override it:
<?php
// Define $authorized = true only if user is authenticated
if (authenticated_user()) {
$authorized = true;
}
?>这个故事的寓意是,你应该从预定义的服务器变量中获取表单数据。所有通过 post 表单传递到你 web 页面的数据都会自动保存到一个称为 $_POST 的大数组中,所有的 GET 数据都保存在 $_GET 大数组中。文件上传信息保存在一个称为 $_FILES 的特殊数据中。另外,还有一个称为 $_REQUEST 的复合变量。
要从一个 POST 方法表单中访问username字段,可以使用 $_POST['username']。如果 username 在 URL 中就使用$_GET['username']。如果你不确定值来自哪里,用 $_REQUEST['username']。
<?php $post_value = $_POST['post_value']; $get_value = $_GET['get_value']; $some_variable = $_REQUEST['some_value']; ?>
$_REQUEST 是 $_GET、$_POST、和 $_COOKIE 数组的结合。如果你有两个或多个值有相同的参数名称,注意 PHP 会使用哪个。默认的顺序是 cookie、POST、然后是 GET。
以上就是为大家整理的一些编程安全建议。更过相关问题请访问PHP中文网:https://www.php.cn/
The above is the detailed content of Some advice on secure programming in PHP. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1378
52
What is Intel TXT?
Jun 11, 2023 pm 06:57 PM
IntelTXT is a hardware-assisted security technology launched by Intel. It can ensure the integrity and security of the server during startup by establishing a protected space between the CPU and BIOS. The full name of TXT is TrustedExecutionTechnology, which is Trusted Execution Technology. Simply put, TXT is a security technology that provides hardware-level protection to ensure that the server has not been modified by malicious programs or unauthorized software when it is started. this one
How to prevent HTTP response splitting attacks using PHP
Jun 24, 2023 am 10:40 AM
HTTP response splitting attack (HTTP response splitting attack) is a vulnerability that uses web applications to process HTTP responses. The attacker constructs a malicious HTTP response and injects malicious code into the legitimate response to achieve the purpose of attacking the user. As a commonly used web development language, PHP also faces the threat of HTTP response splitting attacks. This article will introduce how to use PHP to prevent HTTP response splitting attacks. Understanding HTTP response splitting attacks
BYD cooperates with Stingray to create a safe and enjoyable in-car entertainment space
Aug 11, 2023 pm 02:09 PM
BYD's official WeChat public account announced that BYD has reached a cooperation agreement with Stingray, a music media technology company, and plans to introduce Stingray interactive car KTV products in new energy vehicles from 2023 and promote them in multiple markets around the world. According to reports, BYD and Stingray The entertainment system jointly developed by Stingray will add more entertainment functions to BYD's new energy vehicles to meet the diverse needs of users. The entertainment system will support multiple languages and provide a user-friendly interface design, allowing users to easily search by song title, artist, lyrics or genre. In addition, the system will automatically update tracks every month, bringing users a new music experience. In order to ensure driving safety, when the vehicle is in driving mode,
Secure DNS resolution in Nginx reverse proxy
Jun 11, 2023 am 09:51 AM
As web applications continue to evolve, we need more and more security measures to protect our data and privacy. Among them, secure DNS resolution is a very important measure, which can protect us from being attacked by malicious DNS servers. It is also important to use secure DNS resolution in Nginx reverse proxy. This article will discuss secure DNS resolution in Nginx reverse proxy and explain how to set it up. What is DNS resolution? DNS (DomainNameSystem) resolution converts domain names into IP
How to protect against network keyloggers?
Jun 11, 2023 pm 03:03 PM
In the Internet age, information leakage has become a very common phenomenon in our lives. Among them, the network keylogger is a very efficient hacker attack tool. By recording the content entered by the user and stealing sensitive information such as user account password, it poses a threat to personal privacy and property. Therefore, how to effectively prevent network keyloggers has become an important challenge faced by us Internet users. This article will introduce you to several ways to avoid falling victim to online keyloggers. Regularly update operating system and software network keylogger and more
Some suggestions for Nginx security updates
Jun 10, 2023 am 11:03 AM
Nginx is a widely used web server and reverse proxy server with scalable modular structure and efficient performance advantages. However, just like other software, Nginx may have security vulnerabilities. In order to protect the security of the website, Nginx security updates are very important. This article will introduce some security update recommendations for Nginx. Update Nginx regularly As with any software, updates are crucial. Especially for web servers and reverse proxy servers like Nginx, if
What is AMD Secure Processor?
Jun 11, 2023 pm 12:15 PM
AMDSecureProcessor refers to a co-processor used to enhance computer system security. This technology was developed by AMD, a world-renowned semiconductor manufacturer, to provide stronger system security protection measures. AMDSecureProcessor is implemented by integrating a security processor into the main processor. The security processor is designed to perform security-related computing tasks and has its own independent memory and storage, which is isolated from the main processor. The introduction of this coprocessor
Research on the security of WeChat payment
Jun 11, 2023 am 08:57 AM
With the popularity of electronic payments, people are increasingly relying on mobile payment platforms such as Alipay or WeChat Pay. These platforms provide consumers and merchants with a convenient and fast payment method, but at the same time, platform security is related to the security of users' assets and personal information. In this article, we will explore the security of WeChat Pay to evaluate its performance in protecting users’ personal information and account security. First, we need to understand the security mechanism in WeChat payment. WeChat Pay complies with PCI-DSS (PaymentCard
