Some advice on secure programming in PHP

Introduction

To provide Internet services, you must always maintain security awareness when developing code. It's possible that most PHP scripts don't care about security issues, largely because there are so many inexperienced programmers using the language. However, there is no reason why you should have inconsistent security policies because of uncertainty about your code. When you put anything involving money on a server, there's a chance someone will try to hack it. Create a forum program or any form of shopping cart, and the possibility of being attacked increases to infinite.

Recommended PHP video tutorial: https://www.php.cn/course/list/29/type/2.html

Background

To ensure the security of your web content, here are some general security guidelines:

1. Don’t trust form

attacks The form is simple. By using a simple JavaScript trick, you can limit your form to only allow numbers from 1 to 5 in the rating field. If someone turns off their browser's JavaScript functionality or submits custom form data, your client-side validation will fail.

Users interact with your script primarily through form parameters, so they are the biggest security risk. What should you learn? In PHP scripts, always validate the data passed to any PHP script. In this article, we show you how to analyze and protect against cross-site scripting (XSS) attacks, which can hijack user credentials (or even worse). You'll also see how to prevent MySQL injection attacks that can taint or destroy your data.

2. Don’t believe users

Assume that every piece of data obtained by your website is full of harmful code. Clean up every part, even if you believe no one will try to hack your site.

3. Turn off global variables

The biggest security hole you may have is enabling the register_globals configuration parameter. Fortunately, PHP 4.2 and later disable this configuration by default. If register_globals is turned on, you can turn off this feature by changing the register_globals variable to Off in your php.ini file:

register_globals = Off

Novice programmers feel that registering globals Variables are convenient, but they won't realize how dangerous this setup can be. A server with global variables enabled will automatically assign any form of parameter to the global variable. To understand how it works and why it's dangerous, let's look at an example.

Suppose you have a script called process.php that inserts form data into your database. The initial form looks like this:

<input name="username" type="text" size="15" maxlength="64">

When running process.php , PHP with registered global variables enabled will assign the parameter to the $username variable. This will save keystrokes compared to accessing it via $_POST['username'] or $_GET['username']. Unfortunately, this also leaves you with a security problem, because PHP will set the value of the variable to whatever value is sent to the script via GET or POST parameters if you don't explicitly initialize the variable and you don't want anyone to To operate it, there will be a big problem.

Look at the script below. If the value of the $authorized variable is true, it will display the verified data to the user. Normally, the value of the $authorized variable will be set to true only if the user correctly passes this hypothetical authenticated_user() function verification. But if you enable register_globals, anyone can send a GET parameter such as authorized=1 to override it:

<?php
// Define $authorized = true only if user is authenticated
if (authenticated_user()) {
    $authorized = true;
}
?>

这个故事的寓意是，你应该从预定义的服务器变量中获取表单数据。所有通过 post 表单传递到你 web 页面的数据都会自动保存到一个称为 $_POST 的大数组中，所有的 GET 数据都保存在 $_GET 大数组中。文件上传信息保存在一个称为 $_FILES 的特殊数据中。另外，还有一个称为 $_REQUEST 的复合变量。

要从一个 POST 方法表单中访问username字段，可以使用 $_POST['username']。如果 username 在 URL 中就使用$_GET['username']。如果你不确定值来自哪里，用 $_REQUEST['username']。

<?php
$post_value = $_POST[&#39;post_value&#39;];
$get_value = $_GET[&#39;get_value&#39;];
$some_variable = $_REQUEST[&#39;some_value&#39;]; 
?>

$_REQUEST 是 $_GET、$_POST、和 $_COOKIE 数组的结合。如果你有两个或多个值有相同的参数名称，注意 PHP 会使用哪个。默认的顺序是 cookie、POST、然后是 GET。

以上就是为大家整理的一些编程安全建议。更过相关问题请访问PHP中文网：https://www.php.cn/

The above is the detailed content of Some advice on secure programming in PHP. For more information, please follow other related articles on the PHP Chinese website!