Summary of PHP's 5 security measures
- 2020-05-19 04:22:36
- OfStack
Developers, database architects, and system administrators should take precautions before deploying PHP applications to the server. Most of the precautions can be done with a few lines of code or a few tweaks to the application Settings.
#1: manage the installation scripts
If the developer has already installed a suite of PHP scripts for a 3rd party application, the script is used to install the working component of the entire application and provide an access point. Most third party packages recommend removing the installation scripts that this directory contains after installation. But developers who want to keep the installation scripts can create a.htaccess file to control the administrative access directory.
AuthType Basic
AuthName "Administrators Only"
AuthUserFile/usr/local/apache/passwd/passwords
Require valid - user
Any unauthorized user who attempts to access a protected directory will see a prompt asking for a user name and password. The password must match the password in the specified "passwords" file.
#2: header file
In many cases, developers can incorporate several scripts that are distributed throughout the application into one script. These scripts will contain a single "include" directive that integrates a single file into the code of the original page. When the "include" file contains sensitive information, including user names, passwords, and database access keys, the file extension should be named ".php "instead of the typical".inc "extension. The ".php "extension ensures that the php engine will process the file and prevent any unauthorized access.
# 3: MD5 vs SHA
In some cases, users end up creating their own user names and passwords, and site administrators typically encrypt the password submitted by the form and store it in the database. For the past few years, developers have used the MD5(message digest algorithm) function to encrypt a 128-bit string password. Today, many developers use the SHA-1 (security hash algorithm) function to create a 160-bit string.
#4: automatic global variables
The Settings contained in the php.ini file are called "register_globals". The P server will automatically create global variables for server variables and query strings based on the Settings of register_globals. When installing a third party package, such as content management software like Joomla and Drupal, the installation script will guide the user to set register_globals to "off." Changing the Settings to "off" ensures that unauthorized users cannot access the data by guessing the variable name and verifying the password.
#5: initialize variables and values
Many developers fall into the trap of not assigning values to instantiated variables because of time constraints or a lack of effort. A variable in the authentication process that should have a value before the user logs in to the program. This simple step prevents users from circumventing the validator or accessing certain areas of the site that they do not have access to
#1: manage the installation scripts
If the developer has already installed a suite of PHP scripts for a 3rd party application, the script is used to install the working component of the entire application and provide an access point. Most third party packages recommend removing the installation scripts that this directory contains after installation. But developers who want to keep the installation scripts can create a.htaccess file to control the administrative access directory.
AuthType Basic
AuthName "Administrators Only"
AuthUserFile/usr/local/apache/passwd/passwords
Require valid - user
Any unauthorized user who attempts to access a protected directory will see a prompt asking for a user name and password. The password must match the password in the specified "passwords" file.
#2: header file
In many cases, developers can incorporate several scripts that are distributed throughout the application into one script. These scripts will contain a single "include" directive that integrates a single file into the code of the original page. When the "include" file contains sensitive information, including user names, passwords, and database access keys, the file extension should be named ".php "instead of the typical".inc "extension. The ".php "extension ensures that the php engine will process the file and prevent any unauthorized access.
# 3: MD5 vs SHA
In some cases, users end up creating their own user names and passwords, and site administrators typically encrypt the password submitted by the form and store it in the database. For the past few years, developers have used the MD5(message digest algorithm) function to encrypt a 128-bit string password. Today, many developers use the SHA-1 (security hash algorithm) function to create a 160-bit string.
#4: automatic global variables
The Settings contained in the php.ini file are called "register_globals". The P server will automatically create global variables for server variables and query strings based on the Settings of register_globals. When installing a third party package, such as content management software like Joomla and Drupal, the installation script will guide the user to set register_globals to "off." Changing the Settings to "off" ensures that unauthorized users cannot access the data by guessing the variable name and verifying the password.
#5: initialize variables and values
Many developers fall into the trap of not assigning values to instantiated variables because of time constraints or a lack of effort. A variable in the authentication process that should have a value before the user logs in to the program. This simple step prevents users from circumventing the validator or accessing certain areas of the site that they do not have access to