PHP security technology to achieve PHP basic security
- 2020-03-31 21:04:41
- OfStack
1. Do not rely on the register global variable function (register_globals)
The advent of registered global variables once made PHP very easy to use, but it also made it less secure (convenience often breaks security). It is recommended that the register_globals directive be turned off during programming, and this will also be disabled in PHP6.
2. Initialize variables before using them.
If the register_globals function is enabled, even if the programmer does not use it, a malicious user may exploit a vulnerability for initializing variables to break into our system. Such as:
If (conditon) {
$auth = TRUE;
}
If the variable $auth is not initialized to FALSE before this section, the user can easily implement validation by passing $_GET[' auth'], $_POST[' auth'], or $_COOKIE[' auth'] to the script.
3. Verify and purify all input data.
4. Be careful when using variable references to include files.
If the script has such code:
Require ($page);
Make sure that the $page does not come from an external resource (such as $_GET), or, if it does, that it contains the appropriate value.
Be careful when using functions that execute commands on any server.
These functions include eval (), exec (), system (), passthru (), popen (), and the apostrophe (' '). These functions can execute commands on the server and should never be used arbitrarily. If you have to include that in your command, you should do a thorough security check on the variable. Extra preprocessing should also be done using escapeshellarg() escapeshellcom().
6. Change the default session directory, or use a database to save session data.
7. Do not save the uploaded file on the server with the file name provided by the browser.
8. If submitted data needs to be redisplayed on a web page, be sure to pay attention to the HTML and, more importantly, the JAVASCRIPT
You can use the function
String htmlspecialchars (string string [, int quote_style [, string charset]])
Process the submitted data
9. Do not expose your PHP error messages on the site
PHP error messages can be easily checked as you develop, but if exposed to the Web, they can be an entry point for attackers.
10. Prevent SQL injection attacks.
You should use a language-specific database escape function, such as mysqli_real_escape_data(), to ensure that what you submit doesn't break the query operation.
11. Never save the phpinfo() script on the server.
The advent of registered global variables once made PHP very easy to use, but it also made it less secure (convenience often breaks security). It is recommended that the register_globals directive be turned off during programming, and this will also be disabled in PHP6.
2. Initialize variables before using them.
If the register_globals function is enabled, even if the programmer does not use it, a malicious user may exploit a vulnerability for initializing variables to break into our system. Such as:
If (conditon) {
$auth = TRUE;
}
If the variable $auth is not initialized to FALSE before this section, the user can easily implement validation by passing $_GET[' auth'], $_POST[' auth'], or $_COOKIE[' auth'] to the script.
3. Verify and purify all input data.
4. Be careful when using variable references to include files.
If the script has such code:
Require ($page);
Make sure that the $page does not come from an external resource (such as $_GET), or, if it does, that it contains the appropriate value.
Be careful when using functions that execute commands on any server.
These functions include eval (), exec (), system (), passthru (), popen (), and the apostrophe (' '). These functions can execute commands on the server and should never be used arbitrarily. If you have to include that in your command, you should do a thorough security check on the variable. Extra preprocessing should also be done using escapeshellarg() escapeshellcom().
6. Change the default session directory, or use a database to save session data.
7. Do not save the uploaded file on the server with the file name provided by the browser.
8. If submitted data needs to be redisplayed on a web page, be sure to pay attention to the HTML and, more importantly, the JAVASCRIPT
You can use the function
String htmlspecialchars (string string [, int quote_style [, string charset]])
Process the submitted data
9. Do not expose your PHP error messages on the site
PHP error messages can be easily checked as you develop, but if exposed to the Web, they can be an entry point for attackers.
10. Prevent SQL injection attacks.
You should use a language-specific database escape function, such as mysqli_real_escape_data(), to ensure that what you submit doesn't break the query operation.
11. Never save the phpinfo() script on the server.