Detailed explanation of security knowledge based on PHP development

  • 2020-06-07 04:20:11
  • OfStack

PHP code security and XSS, SQL injection are very useful for the security of various websites, especially UGC(User Generated Content) websites, forums and e-commerce websites, which are often hit hard by XSS and SQL injection. Here is a brief introduction to some basic programming points. Compared with system security, php security requires programmers to be more careful with various parameters entered by users.

Security during php compilation

It is recommended to install the Suhosin patch. Security patches must be installed
php.ini security Settings

register_global = off
magic_quotes_gpc = off
display_error = off
log_error = on
# allow_url_fopen = off
expose_php = off
open_basedir =
safe_mode = on
disable_function = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source,get_cfg_var
safe_mode_include_dir =

DB SQL Pretreatment
mysql_real_escape_string (Many PHPer still rely on addslashes to prevent SQL injection, but this approach is still problematic for Chinese coding. The problem with addslashes is that hackers can use 0xbf27 instead of single quotation marks. In GBK encoding, 0xbf27 is not a valid character, so addslashes will simply treat 0xbf5c27 as a valid multi-byte character, and 0xbf5c will still be treated as single quotation marks (see this article). Using the mysql_real_escape_string function also requires specifying the correct character set, otherwise you may still have problems.

prepare + execute(PDO)
ZendFramework can use quote or quoteInto of the DB class. These two methods are implemented according to various databases without methods, unlike mysql_real_escape_string, which can only be used for mysql

Processing of user input
You do not need to keep the HTML tag in the following way
strip_tags, delete all html tags in string
htmlspecialchars, only" < "," > ", ";" The "'" character is escaped
htmlentities, escaping all html
If the HTML tag must be retained, consider the following tools:

HTML Purifier: HTML Purifier is a standards-compliant HTML filter library written in PHP.
PHP HTML Sanitizer: Remove unsafe tags and attributes from HTML code
htmLawed: PHP code to purify & filter HTML

Upload a file
Use the is_uploaded_file and move_uploaded_file functions, and use the HTTP_POST_FILES[] array. And prevent users from uploading php scripts by removing the PHP explain feature from the upload directory.
File_upload module can be considered under ZF framework
Security handling for Session, Cookie and Form
Do not rely on Cookie for core authentication. Important information needs to be encrypted. Form Post hashes transmitted data before Post.

<input type="hidden" name="H[name]" value="<?php echo $Oname?>"/> <input type="hidden" name="H[age]" value="<?php echo $Oage?>"/> <?php $sign = md5('name'.$Oname.'age'.$Oage.$secret); ?> <input type="hidden" name="hash" value="<?php echo $sign?>"" />
POST Verify the parameters when you come back 
$str = "";
foreach($_POST['H'] as $key=>$value) {
$str .= $key.$value;
if($_POST['hash'] != md5($str.$secret)) {
echo "Hidden form data modified"; exit;

PHP Safety Detection Tool (XSS and SQL Insertion)
Wapiti application security auditor(Wapiti - small site vulnerability detection tool) (SQL injection/XSS attack detection tool)

How to use:
apt-get install libtidy-0.99-0 python-ctypes python-utidylib
python http://Your Website URL/ -m GET_XSS
Pixy: XSS and Scanner for PHP(Pixy-ES138en source code defect analysis tool)
Amr: ES140en-ES141en install ES143en-ES144en

Related articles: