As long as we have done various operations, we can basically prevent some friends from using the vulnerabilities of the website itself to operate the website. Many of them are available in php, such as XSS. Use htmlentities() to prevent XSS attacks and SQL injection can be used. mysql_real_escape_string operation, etc.
PHP includes the security of any other network programming language, which is specifically reflected in two aspects: local security and remote security. Here we should develop the following habits to ensure that our PHP program itself is safe.
1. Verify any data entered by the user to ensure the security of PHP code
One trick here is to use a white list. The so-called white list means: we require the user's data to be like this. For example, if we require the user's input to be a number, we only need to check whether the value is a number. Check to see what it is - it could actually be a malicious script.
We cannot only perform this verification on the client-side JavaScript. Battlefield believes that JS is only produced to improve the experience of visiting users, not as a verification tool. Because any visiting user may or may inadvertently disable the execution of client scripts, thereby skipping this layer of verification. So we must verify this data on the PHP server-side program.
2. Protect the security of the database - perform security preprocessing on Sql statements that will be run on the database.
At any time, the mysql_real_escape_string operation must be performed on the Mysql statement before execution - please refer to the PHP manual for the usage of this function. Many PHP database abstraction layers such as ADODB provide similar methods.
3. Don’t rely on PHP settings that you shouldn’t rely on - the environment is sometimes unreliable
It does not depend on magic_quotes_gpc=On. During the programming process, try to turn off this configuration option and process the data input by the user after judging this option at any time. Remember - this option will be removed in PHP v6. Try to use the addcslashes series of functions when appropriate - please refer to the manual
4. Verify data sources to avoid remote form submission
Do not use the super variable $_SERVER['HTTP_REFERER'] to check the source address of the data. A very young hacker will use tools to forge the data of this variable. If possible, use Md5, or rand and other functions to generate a token. When verifying the source, verify that the token matches.
5. Protect session data, especially Cookies
Cookies are stored on the user's computer. After being saved, any user may change them for some reason. We must encrypt sensitive data. Md5 and sha1 are both good encryption methods.
6. Use htmlentities() to prevent XSS attacks
Perform htmlentities() operations on data where users may enter scripting language, and materialize most of the user input that can cause program errors. Remember to follow Habit #1: Validate input data with values from a whitelist in inputs to your web application for names, email addresses, phone numbers, and billing information.