Security Summary of PHP Project Code_PHP Tutorial

When developing projects with PHP, we spend a lot of time in modular development. At this time, there may be a lot of security hidden. The following is a security summary of some PHP project codes that I have summarized. Students who need to know more can refer to it.

1: Basic type,
include $module.'.php'; If $module is obtained directly using GET, then this is a very devastating bug. It will make you miserable under Linux and make you bankrupt under Windows. This kind of security is usually directly ignored. Discover and effectively prevent. If you haven’t even done this, can you be called a qualified programmer?

2: Quality safety.
Many people will say that external variables should be addedlashes once. We don’t care whether the addslashes function is efficient and safe. Many people actually forget that before using addslashes, you must also pay attention to safety. index.php?aa[]=222&, this is the url, addslashes ($aa); The system will report an error. It can be seen that when we use the function, we should know what will happen if the data type is different. An article has said before that the function is registered to pass parameters >0 numeric type, What should I do if the user passes in letters? Many people think it’s a function error. In my opinion, it’s a user error. Although it’s a custom function, you passed the parameters without knowing the reason. This attitude has changed. Very unsafe.

3: Pressure safe.
Nowadays, if you occasionally watch the news on 163, you will find that the browser will suddenly crash, freeze, or even be "closed". This reason may be a problem with the web page program code, or it may be a problem with the front-end js, especially js, because The characteristics of js are relatively flexible. In terms of using loops and assignments, it is not easy to check for errors. The most prominent point is the value acquisition and error handling. For example, getelementbyid('mydiv'); At this time, have you ever thought about whether mydiv exists? Has it been modified twice? Another point is the picture. Many people use onerror to display the default picture again when the picture cannot be loaded. Have you ever thought about what if the default picture cannot be displayed? Enter Infinite loop?

4: PHP performance safety.
No one can say that they have never encountered an infinite loop that caused Apache to crash. No matter how good people are, they all have the same experience. What kind of pressure does the loop create? What performance is affected? See a piece of code:
foreach($array AS $val){
$payarr = include('pay.inc.php');
If($payarr[0] >= 360 * 1.25 + 568){
$err[] = $payarr[0];
}
}
This code can run normally. Regardless of whether your include is successful or not, there is no need to judge whether it is meaningful. Anyway, it can run successfully. Of course, it is meaningless. To truly realize the functional requirements, this code needs to add several lines. , it’s all about judgment. Before introducing a file, should we first use is_file to confirm whether the file exists? Since we are in a loop, should we use include_once? The condition value is a numerical operation, is it better to write a direct value? Before judging, should we use include_once? First determine whether the $payarr array value exists?

5: When writing a program or writing a judgment.
The performance safety mentioned above lacks many judgments. Does PHP have documentation to show whether unnecessary judgments affect performance? See the code.
If(is_resource($a) === false || is_array($a) === false || is_bool($a) === false)
echo $a;
What if we judge like this every time we use a variable? Is it safer? The code is correct, echo only prints string types, and the previous judgment is also in line with logical thinking. This may be more like strict security, but if PHP can omit it With this little performance pressure, writing like this is not necessarily a bad thing. At least it meets the requirements and increases security. Of course, we will also wonder, if I write like this, am I writing a program or writing a judgment?

6: Blocking errors.
When many people were learning PHP, the teacher said something about security that deeply stuck in his mind, which is to block error messages. Personally, I think there should be prerequisites for blocking errors. That is, the display can be blocked, but the records cannot be blocked. . One day, a web page was blank, and I asked the programmer to check for errors. He told me that the errors were blocked. Do you think this is reasonable? I asked you to block the errors, but I didn’t ask you to block yourself, even yourself. I don’t even know where the error is, but ordinary users can know it? So, when you use php.ini shielding or the @ symbol, remember that you have to know where the error occurs.

7: Interface security.
I believe everyone has interface security, whether you have it or not, I have it anyway. The usual method is to request the URL, and then PHP prints the value to the client, so that the client can do judgment processing or display processing. Fact In this way, ordinary PHP staff can easily get the URL through firebug, and then know what parameters you get and what value is returned. This is a potential danger, such as product reviews and product prices. For this reason , I suggest that the interface be built with a layer of token, first get the token and then pass the parameters. The work done by the token is very meaningful. It can calculate whether the user is normal, IP, and request time. In the next step, when requesting the interface, it can be judged. The token value is encrypted , users cannot use or retain it. You may ask, token is just a string of characters, and it can always retain the request interface. Oh my God. Please use the request time.

8: Show security.
In fact, I don’t fully understand the issue of display security. For example, I need to record the user’s signature and support html code. After submission, before entering mysql, is the data addslashes or htmlspecialchars? If it is addslashes, then the front-end display When it is used, it may be injected by XSS. If htmlspecialchars is used, how to display the HTML code when it is displayed in the foreground? At the same time, can XSS be prevented? There are so many variables in a website, do you think about this problem one by one? How to prevent attacks?

9: Damn safe.
Regardless of whether you believe it or not, I believe sohpex is a pain in the ass. The code encrypted by zend seems to be unusable after version php5.3. Your security is too unreliable. It turns out that it is public relations security, but it is handed over to programmers. Realization. The business model does not work like this

http://www.bkjia.com/PHPjc/629660.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629660.htmlTechArticleWhen developing projects with PHP, we spend a lot of time in modular development. At this time, there may be many security hidden things. , the following is a safety summary of some PHP project codes that I summarized, if necessary...