We all know that PHP is already the most popular Web application programming languages of. But also with other scripting languages, PHP also has some very dangerous security vulnerabilities. Therefore, in this teaching article, we will generally look at a few practical tips to help you avoid some common PHP security issues.
Tip 1: Use appropriate error reporting
Generally in the development process, many programmers always forget to make bug reports, this is a great mistake, because proper error reporting is not only the best debugging tool, but also an excellent tool to detect security vulnerabilities, which can let you apply on-line to find out the real issues before you will encounter possible.
Of course, there are many ways to enable Error Reporting. For example, in php.in configuration file you can set enabled at runtime
Start Error Reporting
1 error_reporting (E_ALL);
Disable error reporting
1 error_reporting (0);
Tip 2: Do not use PHP's Weak property
PHP has several attributes that need to be set to OFF. Usually they are present in PHP4 inside, but in PHP5 is not recommended. Especially in the last PHP6 inside, these attributes have been removed.
When register_globals is set to ON, it is equivalent to setting Environment, GET, POST, COOKIE or Server variables are defined as global variables. At this point you do not need to write $ _POST [ 'username'] to get the form variables 'username', only '$ username' will be able to obtain the variables.
Then you certainly want to set register_globals is ON since there are so convenient benefits, so why not use it? Because if you do that it will bring a lot of security issues, but also may conflict with local variable name.
For example, take a look at the following code:
1 if (! Empty ($ _POST [ 'username']) && $ _POST [ 'username'] == 'test123' &&! Empty ($ _POST [ 'password']) && $ _POST [ 'password'] == " pass123 ")
3 $ access = true;
If during operation, register_globals is set to ON, the user only needs to transmit access = 1 in a query string to be able to get anything to run a PHP script.
Disable global variables in .htaccess
1 php_flag register_globals 0
Disable global variables in php.ini
1 register_globals = Off
Disable similar magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase these Magic Quotes
Set in the .htaccess file
1 php_flag magic_quotes_gpc 0
2 php_flag magic_quotes_runtime 0
Set in php.ini
1 magic_quotes_gpc = Off
2 magic_quotes_runtime = Off
3 magic_quotes_sybase = Off
Tip 3: Validating User Input
Of course you can also validate user input, you must first know that you expect users to input data types. This allows the browser to do malicious users to attack your defenses ready.
Tip 4: Avoid users to cross-site scripting attacks
Tip 5: prevent SQL injection attacks
PHP Basic does not provide any tools to protect your database, so when you connect to a database, you can use the following mysqli_real_escape_string function.
1 $ username = mysqli_real_escape_string ($ GET [ 'username']);
2 mysql_query ( "SELECT * FROM tbl_employee WHERE username = '" $ username.. "'");
Well, in this short article, we describe several development process can not be ignored PHP security issues. But in the end whether to use, or how to use the developer to decide. I hope this article will help to you.