Home >Backend Development >PHP Tutorial >Several practical points for creating a high-security PHP website_PHP Tutorial

Several practical points for creating a high-security PHP website_PHP Tutorial

WBOY
WBOYOriginal
2016-07-13 10:37:43715browse

Everyone knows that PHP is currently the most popular web application programming language. But like other scripting languages, PHP also has several dangerous security holes. So in this tutorial, we'll take a look at a few practical tips to help you avoid some common PHP security issues.

Tip 1: Use proper error reporting

Generally during the development process, many programmers always forget to make program error reports. This is a huge mistake, because proper error reports are not only the best debugging tools, but also excellent security vulnerability detection tools. This can Let you find out as much as possible the problems you will encounter before putting the application online.

Of course there are many ways to enable error reporting. For example, in the php.in configuration file you can set it to be enabled at runtime

Start error reporting


  1. error_reporting(E_ALL);

Disable error reporting


  1. error_reporting(0);

Tip 2: Don’t use PHP’s Weak attribute There are several PHP attributes that need to be set to OFF. Generally, they exist in PHP4, but their use is not recommended in PHP5. Especially in PHP6, these attributes were removed.

Register global variables

When register_globals is set to ON, it is equivalent to setting Environment, GET, POST, COOKIE or Server variables are defined as global variables. At this time, you don't need to write $_POST['username'] to get the form variable 'username'. You only need '$username' to get this variable.

So you must be thinking that since setting register_globals to ON has such convenient benefits, why not use it? Because if you do this it will bring about a lot of security issues, and it may also conflict with local variable names.

For example, take a look at the following code:


  1. if( !empty( $_POST['username'] ) && $_POST['username'] == 'test123′ && !empty( $_POST['password'] ) && $_POST['password'] == "pass123 ″ )
  2. {
  3. $access = true;
  4. }

If register_globals is set to ON during runtime, then the user only needs to pass access=1 in a query string to get whatever the PHP script is running.

Disable global variables in .htaccess


  1. php_flag register_globals 0

Disable global variables in php.ini


  1. register_globals = Off

Disable Magic Quotes like magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase

Set

in .htaccess file

  1. php_flag magic_quotes_gpc 0
  2. php_flag magic_quotes_runtime 0

Set

in php.ini

  1. magic_quotes_gpc = Off
  2. magic_quotes_runtime = Off
  3. magic_quotes_sybase = Off

Tip 3: Validate user input Of course you can also validate user input. First, you must know the data type you expect the user to input. In this way, you can be prepared on the browser side to prevent users from maliciously attacking you.

Tip 4: Avoid cross-site scripting attacks by users In web applications, it is simple to accept user input in the form and then feedback the results. When accepting user input, it would be very dangerous to allow HTML format input, because this would also allow JavaScript to intrude in unpredictable ways and execute directly. Even if there is only one such vulnerability, cookie data may be stolen and the user's account may be stolen.

Tip 5: Prevent SQL injection attacks PHP basically does not provide any tools to protect your database, so when you connect to the database, you can use the mysqli_real_escape_string function below.


  1. $username = mysqli_real_escape_string( $GET['username'] );
  2. mysql_query( “SELECT * FROM tbl_employee WHERE username = ’”.$username.“‘”);

Well, in this short article, we have elaborated on several PHP security issues that cannot be ignored during the development process. But it is ultimately up to the developer to decide whether to use it and how to use it. Hope this article can help you.

Article from: phpzag.com

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/735148.htmlTechArticleEveryone knows that PHP is currently the most popular web application programming language. But like other scripting languages, PHP also has several dangerous security holes. So in this instructional article...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn