Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Create several practical points of high security PHP site     - Swift notes - let you two hours to learn Swift (Programming)

- Cache implementation APP interacts with the server-side interface control Session (Server)

- Eclipse installs support for Java 8 (Linux)

- Install Web-based monitoring tool: Linux-Dash (Server)

- C ++ CBitmap, HBitmap, Bitmap difference and contact (Programming)

- PHP loop reference caused strange problems (Programming)

- Linux Getting Started tutorial: How to backup Linux systems (Linux)

- Elaborate .NET Multithreading: Thread Pool (Programming)

- Linux System Getting Started Learning: The Linux ac command (Linux)

- Linux server startup and logon security settings (Linux)

- How to use Xmanager Remote Desktop and VNC Log (Linux)

- How to Use Nmap security scanner tool on Linux (Linux)

- Java NIO1: I / O model overview (Programming)

- Linux operating system ARP Spoofing Defense (Linux)

- Laravel cache paged results (Server)

- Oracle database physical file backup / restore (Database)

- Linux VMware virtual machine after the cloning of the card can not start to solve (Linux)

- C ++ Supplements - References (Lvalue Reference, Rvalue Reference) (Linux)

- MongoDB upgrade to 2.6 (Database)

- An Example of GoldenGate Extract Process Hang Problem Solving (Database)

 
         
  Create several practical points of high security PHP site
     
  Add Date : 2018-11-21      
         
         
         
  We all know that PHP is already the most popular Web application programming languages ​​of. But also with other scripting languages, PHP also has some very dangerous security vulnerabilities. Therefore, in this teaching article, we will generally look at a few practical tips to help you avoid some common PHP security issues.

Tip 1: Use appropriate error reporting
Generally in the development process, many programmers always forget to make bug reports, this is a great mistake, because proper error reporting is not only the best debugging tool, but also an excellent tool to detect security vulnerabilities, which can let you apply on-line to find out the real issues before you will encounter possible.
Of course, there are many ways to enable Error Reporting. For example, in php.in configuration file you can set enabled at runtime
Start Error Reporting
 
1 error_reporting (E_ALL);


Disable error reporting
 
1 error_reporting (0);


Tip 2: Do not use PHP's Weak property
PHP has several attributes that need to be set to OFF. Usually they are present in PHP4 inside, but in PHP5 is not recommended. Especially in the last PHP6 inside, these attributes have been removed.

Register globals
When register_globals is set to ON, it is equivalent to setting Environment, GET, POST, COOKIE or Server variables are defined as global variables. At this point you do not need to write $ _POST [ 'username'] to get the form variables 'username', only '$ username' will be able to obtain the variables.

Then you certainly want to set register_globals is ON since there are so convenient benefits, so why not use it? Because if you do that it will bring a lot of security issues, but also may conflict with local variable name.

For example, take a look at the following code:
 
1 if (! Empty ($ _POST [ 'username']) && $ _POST [ 'username'] == 'test123' &&! Empty ($ _POST [ 'password']) && $ _POST [ 'password'] == " pass123 ")
2 {
3 $ access = true;
4}


If during operation, register_globals is set to ON, the user only needs to transmit access = 1 in a query string to be able to get anything to run a PHP script.

Disable global variables in .htaccess
 
1 php_flag register_globals 0


Disable global variables in php.ini
 
1 register_globals = Off


Disable similar magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase these Magic Quotes
Set in the .htaccess file
 
1 php_flag magic_quotes_gpc 0
2 php_flag magic_quotes_runtime 0


Set in php.ini
 
1 magic_quotes_gpc = Off
2 magic_quotes_runtime = Off
3 magic_quotes_sybase = Off


Tip 3: Validating User Input
Of course you can also validate user input, you must first know that you expect users to input data types. This allows the browser to do malicious users to attack your defenses ready.

Tip 4: Avoid users to cross-site scripting attacks
In Web applications, are simply accept user input forms and feedback results. In accepting user input, if allowed to enter HTML format will be a very dangerous thing, because it will allow the direct execution after JavaScript to unpredictable way intrusive. As long as there is even one such loophole, cookie data may be stolen and thus cause a user's account is stolen.

Tip 5: prevent SQL injection attacks
PHP Basic does not provide any tools to protect your database, so when you connect to a database, you can use the following mysqli_real_escape_string function.
 
1 $ username = mysqli_real_escape_string ($ GET [ 'username']);
2 mysql_query ( "SELECT * FROM tbl_employee WHERE username = '" $ username.. "'");


Well, in this short article, we describe several development process can not be ignored PHP security issues. But in the end whether to use, or how to use the developer to decide. I hope this article will help to you.
     
         
         
         
  More:      
 
- Understanding and Memcached MongoDB arbitration node, Zookeeper, Redis Recovery Programme Thoughts (Database)
- Ubuntu 15.04 installation Powercommands 2.0 (Linux)
- numpy and SciPy installation under Python for scientific computing package (Linux)
- CentOS 6.6 permanent method to modify the DNS address (Linux)
- To control based on IP address routing policy under Linux (Linux)
- How to build a container cluster (Server)
- Spring-depth understanding of the various annotations (Programming)
- configuration ssh without password under Linux (Linux)
- MySQL monitoring tool -Innotop (Database)
- Shell Scripting Interview Questions (Programming)
- The wrong in Linux: too many open files (Linux)
- Install Java, Maven, Tomcat under Linux (Linux)
- Repair after installing Ubuntu no boot device error (Linux)
- Linux NIC driver and version information (Linux)
- To install Internet security firewall Raiders (Linux)
- Why everybody ought to know LLVM (Linux)
- Ubuntu 12.04 configure NVIDIA CUDA 5.5 Record (Linux)
- High-performance JavaScript DOM programming (Programming)
- Windows7 / 8 / 8.1 hard drive to install Ubuntu 14.04 dual system (Linux)
- Sniffer Linux Environment (Linux)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.