When you use PHP for web development, you need to pay attention to some security configuration items and turn off certain functions to prevent users from inadvertently causing various problems.
1. Turn off the php error prompt function
Change display_errors to OFF in php.ini, or add # before the php file ##error_reporting(0).
Use error_reporting(0); Failure example:
<?php
error_reporting(0);
echo 555
echo 444;
?>
Copy after login
Error:
Parse error: parse error, expecting `','' or `';'' in E:\webphp\2.php on line 4
Many phpers say that using error_reporting(0) does not work. In the first example, there is a fatal error in A.php, which prevents execution. If the server cannot be executed, it does not know that it has this function, so the same error is reported.
2. Turn off some "bad features"
1) Turn off the magic quotes function
Put magic_quotes_gpc = OFF in php.ini
Avoid and
addslashesWait for repeated escaping
2) Turn off register_globals = Off
Put register_globals = OFF in php.ini
In the case of register_globals = ON
<?php
//$bloger = $_GET['bloger']
//因为register_globals = ON 所以这步不用了直接可以用$bloger
echo $bloger;
?>
Copy after login
This situation will cause some uninitialized variables to be easily modified, which may be fatal. So turn register_globals = OFF
(3) Strictly
configure file permissions.
Assign permissions to the corresponding folders. For example, files containing uploaded images cannot have execution permissions and can only be read
3. Strict data verification, what we need to do is to strictly verify the control data Flow, even if one of the 100 million users is a bad user, it is enough to be fatal. Besides, good users sometimes become "bad" inadvertently when they accidentally enter Chinese in the data input box.
In order to ensure the security and robustness of the program, data verification should include
(1) Whether key data exists. For example, whether the deleted data id exists
(2)
The data typeis correct. For example, whether the deleted data id is an integer(3) Data length. If the field is of char(10) type, strlen must be used to determine the data length
(4) Whether the data has dangerous characters
The data length problem, such as the database table field char(25), most PHPers consider whether If it is empty, the data type is correct, but the character length is ignored. Ignoring it is better because it is too lazy to judge the length.
I think the front-end has been verified using js, and the back-end does not need to judge and verify. This is also fatal. You must know that it only takes a few minutes to forge a form. The js judgment is only to reduce the number of user submissions, thereby improving the user experience, reducing http requests and reducing server pressure. In a safe situation, it cannot prevent "villains". Of course, if the legitimate user It is perfect under js verification control, but as phper we cannot only have js verification and abandon another security verification.
Lack of validation for some attributes of the form, such as select, checkbox, radio, button, etc. The developer has set the value and value range (whitelist value) of these attributes on the web page. These attribute values are in JS verification generally does not verify, because legitimate users only have the right to choose and not modify, and then PHPer will not verify the data when it accepts the data at the backend to process the verification data. This is an inertial thinking, and security issues arise. The villain is a fake form.
The name of the corresponding element in the form is consistent with the field name of the data table. For example, the user name field in the user table is user_name, and then the user name input box in the form is also user_name. This is no different from a violent database.
The above is the detailed content of Newbies should develop some good security habits in PHP: turning off error prompts and strict data verification, etc.. For more information, please follow other related articles on the PHP Chinese website!