1. Don’t rely on the registered global variable function (register_globals)
The emergence of registered global variables once made PHP very easy to use, but it also reduced security (convenience often undermines security). It is recommended to turn off the register_globals directive when programming. This function will also be canceled in PHP6.
2. Initialize variables before using them.
If the register_globals function is enabled, even if the programmer does not use it, malicious users may exploit the vulnerability of initializing variables to invade our system. For example:
if(conditon){
$auth=TRUE;
}
If the variable $auth is not initialized to FALSE before this paragraph, the user can pass $_GET['auth'], $_POST[' auth'] or $_COOKIE['auth'] to easily implement authentication.
3. Verify and purify all input data.
4. Be careful when using variables to reference included files.
If there is code like this in the script:
require($page);
Then you should make sure that $page does not come from an external resource (such as $_GET), or, if it does come from an external resource, then make sure that it contains appropriate value.
5. Be careful when using any function that executes commands on the server.
These functions include eval(), exec(), system(), passthru(), popen(), and backtick(``). These functions can execute commands on the server and should never be used casually. If you have to include a variable in a command, you should perform a thorough security check on the variable. You should also use escapeshellarg() escapeshellcom() for additional preprocessing.
6. Change the default session directory, or use a database to save session data.
7. Do not save uploaded files on the server using the file name provided by the browser.
8. If the submitted data needs to be redisplayed in the web page, be sure to pay attention to the HTML in it, and more importantly, JAVASCRIPT
You can use the function
string htmlspecialchars (string string [, int quote_style [, string charset]])
Process the submitted data
9. Do not expose your PHP error messages on the site.
PHP error messages can output error messages during your development process to facilitate your inspection, but if exposed on the Web, they can easily become an entry point for attackers.
10. Prevent SQL injection attacks.
You should use language-specific database escape functions, such as mysqli_real_escape_data(), to ensure that the submitted content does not destroy the query operation.
11. Never save phpinfo() scripts on the server.
The above has introduced the PHP security technology to achieve basic PHP security, including aspects of the content. I hope it will be helpful to friends who are interested in PHP tutorials.