Shulou(Shulou.com)06/03 Report--

This article mainly introduces "what are the four major security strategies of PHP". In daily operation, I believe many people have doubts about what the four major security strategies of PHP are. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts about "what are the four major security strategies of PHP?" Next, please follow the editor to study!

I. File system security

If php has root permission and allows the user to delete the file in the script, then the user submits the data without filtering, it is very likely to delete the system file

In the above code, assuming that the user submitted a $user file value of.. / etc/, the / etc directory will be deleted.

To prevent file system attacks, the strategy is as follows

Give only limited permissions to php

The variables submitted by users should be monitored and filtered, and cannot contain special characters such as file paths.

Try to avoid using PHP to operate files (delete). If there is a need for this, the user can delete the file and must be a random name generated by the system, which cannot be controlled by the user.

II. Database security

Database security mainly prevents sql injection, that is, sql injection attacks. The strategies to improve database security are as follows:

There is no need to use the root account or the database owner account to connect to the database. The connection database limits the ip of the connected user.

Use php's pdo extension to effectively prevent sql injection. In addition to security advantages, php's pdo extension has great advantages in performance.

Please refer to http://php.net/manual/en/pdo.prepared-statements.php

Encrypt sensitive information, such as passwords

III. User data filtering

Filter user data to prevent XSS and CSRF attacks

Use whitelist (user input is fixed mode)

For example, if a user name can only use numeric letters, then you can use the function ctype_alnum to determine

Use function htmlentities or htmlspecialchars to process user input. Input url is not allowed to pass non-http protocol.

User authentication uses token token (csrf)

Http://htmlpurifier.org/ HTML Purifier is an effective open source solution against xss attacks.

IV. Other security policies

Online environment turns off error reporting (error_reporting,dislay_erros, error_log paths can be configured in php.ini to log error messages, which helps identify possible user attacks)

Register Globals, deprecate (remove) features, do not use

Magic quotation mark feature, do not turn on, has been removed in PHP-5.4

Try to use the latest version of PHP, which fixes many known security vulnerabilities and bug

Strictly abide by the above strategy in the code, can basically ensure that the code will not have too many security vulnerabilities, can prevent common attacks.

At this point, the study of "what are the four major security strategies of PHP" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.