Summary of security issues in PHP development_PHP tutorial
WBOY
Release: 2016-07-13 09:47:14
Original
1404 people have browsed it
Related summary of security issues in PHP development
php gives developers great flexibility, but it also brings potential hidden dangers to security issues. In the near future, we need to summarize past problems. Here I will translate an article and add my own development. Let’s summarize some of my feelings.
Introduction
When developing an Internet service, the concept of security must always be kept in mind and reflected in the code developed. The PHP scripting language is not concerned about security issues, especially for most inexperienced developers. Whenever you talk about any transaction involving money matters, you need to pay special attention to security considerations, such as developing a forum or a shopping cart.
General points for security protection
Don’t trust the form
For general Javascript front-end verification, since it is impossible to know the user's behavior, such as turning off the browser's JavaScript engine, malicious data is POSTed to the server. Verification needs to be performed on the server side to verify the data passed to each php script to prevent XSS attacks and SQL injection
Don’t trust users
Assume that every piece of data received by your website contains malicious code and hidden threats, and clean every piece of data
Close global variables
Configure the following in the php.ini file:
register_globals = Off
If this configuration option is turned on, there will be great security risks. For example, there is a process.php script file that will insert the received data into the database. The form for receiving user input data may be as follows:
In this way, after submitting data to process.php, php will register a $username variable and submit this variable data to process.php. At the same time, such a variable will be set for any POST or GET request parameters. If initialization is not displayed, the following problem will occur:
<ol class="dp-j"><li class="alt"><span><span><?php </span></span></li><li><span><span class="comment">// Define $authorized = true only if user is authenticated</span><span> </span></span></li><li class="alt"><span><span class="keyword">if</span><span> (authenticated_user()) { </span></span></li><li><span> $authorized = <span class="keyword">true</span><span>; </span></span></li><li class="alt"><span>} </span></li><li><span>?> </span></li></ol>
Copy after login
Here, it is assumed that the authenticated_user function is to determine the value of the $authorized variable. If the register_globals configuration is turned on, then any user can send a request to set the value of the $authorized variable to any value to bypass this verification.
All these submission data should be obtained through PHP's predefined built-in global arrays, including $_POST, $_GET, $_FILES, $_SERVER, $_REQUEST, etc., where $_REQUEST is a $_GET/$_POST /$ _COOKIE is a joint variable of three arrays. The default order is $_COOKIE, $_POST, $_GET.
Recommended security configuration options
Set error_reporting to Off: Do not expose error information to users. You can set it to ON during development
safe_mode is set to Off
register_globals is set to Off
Disable the following functions: system, exec, passthru, shell_exec, proc_open, popen
Open_basedir is set to /tmp, which allows session information to have storage permissions and sets a separate website root directory
expose_php is set to Off
allow_url_fopen is set to Off
allow_url_include is set to Off
SQL injection attack
For SQL statements that operate the database, special attention needs to be paid to security, because users may enter specific statements that cause the original SQL statements to change their functions. Similar to the following example:
$sql = "select * from pinfo where product = '$product'";
At this time, if the $product parameter entered by the user is:
39'; DROP pinfo; SELECT 'FOO
Then the final SQL statement becomes as follows:
select product from pinfo where product = '39'; DROP pinfo; SELECT 'FOO'
This will become three SQL statements, which will cause the pinfo table to be deleted, which will cause serious consequences.
This problem can be easily solved using PHP’s built-in functions:
To prevent SQL injection attacks, two things need to be done:
Always perform type verification on input parameters
Always use the mysql_real_escape_string function to escape special characters such as single quotes, double quotes, back quotes, etc.
However, based on development experience, do not enable php's Magic Quotes. This feature has been abolished in php6. Always escape it yourself when needed.
Prevent basic XSS attacks
XSS attacks are unlike other attacks. This attack is carried out on the client side. The most basic XSS tool is to prevent a JavaScript script from stealing the data and cookies submitted by the user on the form page to be submitted.
XSS tools are more difficult to protect than SQL injections. All major company websites have been attacked by XSS. Although this attack has nothing to do with the PHP language, PHP can be used to filter user data to protect user data. The main ones used here are It filters the user's data, generally filtering out HTML tags, especially the a tag. Here is a common filtering method:
http://www.bkjia.com/PHPjc/1027372.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/1027372.htmlTechArticleRelated summary of security issues in PHP development PHP gives developers great flexibility, but it also creates security issues The problem has brought potential hidden dangers. In the near future, we need to summarize past problems. Here...
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
