Home >Backend Development >PHP Tutorial >How to write secure PHP code (1)_PHP tutorial
PHP is an easy language to learn, and many people without any programming background learn it as a way to add some interactive elements to their websites. Unfortunately, this often means PHP programs Developers, especially those newer web developers, are unaware of potential security risks in their websites. Here are some of the more common security issues and how to avoid them.
Always, always trust your users
Can’t say enough times, you should always, always, trust your users to send you Data you'd expect. I hear a lot of people respond along the lines of "oh, no one with malicious intent is going to be interested in my site." That's wrong, there are always malicious users who can exploit a security hole, and problems can be easily discovered because a user inadvertently did something wrong.
Therefore, the precepts for the development of all web pages, which I cannot compress any more, are: always, always, trust your users. Assuming that every piece of data your website collects from users contains malicious code, always, you think you've checked for client-side validation of this data, for example in JavaScript, and if you can achieve this goal, you should be off to a good start. If PHP security is important, this is important to learn. Personally, "PHP security" is a major issue.
Global variables
In many languages, you must explicitly set a variable to use it. In PHP, there is an option "register_globals" that you can set in php.ini, which allows you to use global variables without declaring them in advance.
Consider the following code:
if ($password == "my_password") {$authorized = 1;}if ($authorized == 1) {echo "Lots of important stuff.";} |
Many people may think that this is fine, but in fact, this code is used throughout the website. However, if a server turns on "register_globals ". Then, simply adding "?authorized=1" to the URL will make it visible to anyone. This is one of the most common PHP security issues.
Fortunately, there are two simple solutions to this. The first, and perhaps the best, is to turn "register_globals" off. The second is that you must make it clear that only you use the variable. In the example above, This would mean adding "?authorized=0"; at the beginning of the script:
$authorized = 0;<br>if ($password == "my_password") {<br>$authorized = 1;<br>} if ($authorized == 1) {<br>echo "Lots of important stuff.";<br>} |
Error message
Error messages are a very useful tool, both for programmers and hackers. Developers need them to correct errors. Hackers can use them to find out all kinds of information about a website, from the directory structure of the server to database login information. If possible, it's best to turn off all error reporting. PHP can do the job. In htaccess or php.ini, set the "error_reporting" value to "0". If you have a development environment, you can set it differently. error reporting level.
1