Security precautions for PHP programming

register_global = off
magic_quotes_gpc = off
display_error = off
log_error = on
# allow_url_fopen = off
expose_php = off
open_basedir =
safe_mode = on
disable_function = exec,system,passthru,shell_exec ,escapeshellarg,escapeshellcmd ,proc_close,proc_open,dl,popen,show_source,get_cfg_var
safe_mode_include_dir =

2, DB SQL preprocessing mysql_real_escape_string (Many PHPers still rely on addslashes to prevent SQL injection, but this method is still problematic for Chinese encoding. The problem with addslashes is that hackers can use 0xbf27 instead of single quotes. 0xbf27 is not a legal character in GBK encoding, so addslashes is just 0xbf5c27, becomes a valid multi-byte character, 0xbf5c will still be treated as a single quote). You also need to specify the correct character set when using the mysql_real_escape_string function, otherwise there may be problems.

prepare + execute(PDO) ZendFramework can use quote or quoteInto of the DB class. These two methods are implemented according to various databases, unlike mysql_real_escape_string which can only be used for mysql.

3. Processing of user input If you don’t need to keep html tags, you can use the following method strip_tags, delete all html tags in string htmlspecialchars, only escape the characters "", ";", "'" htmlentities, escape all html If HTML tags must be preserved, consider the following tools:

HTML Purifier: HTML Purifier is a standards-compliant HTML filter library written in PHP.
PHP HTML Sanitizer: Remove unsafe tags and attributes from HTML code
htmLawed: PHP code to purify & filter HTML

4, upload file Use the is_uploaded_file and move_uploaded_file functions, using the HTTP_POST_FILES[] array. And prevent users from uploading php scripts by removing the PHP interpretation function of the upload directory. You can consider using the File_upload module under the ZF framework Secure handling of Session, Cookie and Form Do not rely on cookies for core authentication, important information needs to be encrypted, and the transmitted data must be hashed before Form Post. For example, the form element sent is as follows:

Verify the parameters after returning from POST
$str = "";
foreach ($_POST['H'] as $key=>$value) {
$str .= $key.$value;
}
if($_POST['hash'] != md5($str.$secret )) {
echo "Hidden form data modified"; exit;
}

5, PHP security detection tool (XSS and SQL Insertion) Wapiti - Web application security auditor(Wapiti - Compact site vulnerability detection tool) (SQL injection/XSS attack detection tool)

6, installation/usage method:

apt-get install libtidy-0.99-0 python-ctypes python-utidylib
python wapiti.py http://Your Website URL/ -m GET_XSS

Pixy: XSS and SQLI Scanner for PHP (Pixy - PHP source code defect analysis tool) Installation: apt-get install default-jdk

Let’s just introduce these. If you can fully implement the security measures introduced above, your PHP code will be very safe.