Notes on developing micro-malls with PHP
Compared with Java, C, C#, Python and other languages, PHP has more advantages in the mall. The biggest advantages are high development efficiency, many framework choices, and many open source products to choose from, which can greatly reduce development costs and speed up product iteration, such as the open source malls DSMall, DSHOP, DSKMS, etc. developed based on the Thinkphp framework. Based on this Product development can greatly speed up development and bring projects online quickly, while the Thinkphp framework can be directly upgraded.
Under normal circumstances, we need to pay attention to PHP security knowledge during our own development process. Here are some common security issues.
1.SQL injection
SQL injection is one of the biggest threats to common websites. If the database is attacked by SQL injection, all of your databases can be obtained. There are two current mainstream solutions. Escape user-entered data or use encapsulated statements. Generally, an encapsulated function is used to filter the data submitted by the user.
2.XSS
XSS is also called CSS (Cross Site Script), a cross-site scripting attack. It refers to a malicious attacker inserting malicious html code into a Web page. When a user browses the page, the html code embedded in the Web will be executed, thereby achieving the special purpose of maliciously attacking the user.
The correct approach is to resolutely not trust any input from the user and filter out all special characters in the input. This will eliminate most XSS attacks.
3. The most commonly used defense method is to generate a CSRF token encrypted secure string, generally called a Token. Every time you construct a form on a web page, put the Token token in a hidden field in the form. The Token token in the Session is better than Yes, it will be passed only if the verification is successful.
If you carry out secondary development in the open source mall system in these TP frameworks, you should pay attention to the following points:
1. Set public The directory is the only externally accessible directory. Do not put resource files into the application directory;
2. Turn on form token verification to avoid repeated submission of data, which can play a role in CSRF defense; 3. Use the request variable acquisition method provided by the framework (Request class param method and input helper function) instead of native system variables to obtain user input data; 4. Set default_filter filtering rules for different application requirements (there is no filtering by default) Rules), common security filtering functions include stripslashes, htmlentities, htmlspecialchars and strip_tags, etc. Please choose the most appropriate filtering method according to the business scenario; 5. Use verification classes or verification methods to Set necessary validation rules for business data; Recommended tutorial:PHP video tutorial
The above is the detailed content of What should you pay attention to when developing micro-mall in PHP?. For more information, please follow other related articles on the PHP Chinese website!