Shulou(Shulou.com)06/03 Report--

This article mainly shows you "how to write secure PHP applications", the content is easy to understand, clear, hope to help you solve your doubts, let the editor lead you to study and learn "how to write secure PHP applications" this article.

When referring to security issues, it is important to note that in addition to the actual platform and operating system security issues, you also need to ensure that you write secure applications. When writing PHP applications, apply the following seven habits to ensure that your application has the best security:

Validate input

Protect the file system

Protect the database

Protect session data

Protect cross-site scripting (Cross-site scripting,XSS) vulnerabilities

Verify form post

Protection against cross-site request forgery (Cross-Site Request Forgeries,CSRF)

Validate input

Validating data is the most important habit you may adopt when it comes to security issues. When it comes to input, it's simple: don't trust the user. Your users may be excellent, and most users may use the application exactly as expected. However, as long as the opportunity for input is provided, there is a good chance that there will be very bad input. As an application developer, you must prevent the application from accepting incorrect input. Carefully considering the location and correct values entered by the user will enable you to build a robust and secure application.

Although the interaction between the file system and the database is described later, the following is a list of general validation tips for various validations:

Use values in the whitelist

Always revalidate limited options

Use built-in escape functions

Verify the correct data type (such as a number)

The value in the whitelist (White-listed value) is the correct value, as opposed to an invalid black name single value (Black-listed value). The difference between the two is that usually when validating, the list or range of possible values is smaller than the list or range of invalid values, many of which may be unknown or unexpected.

When validating, keep in mind that it is often easier to design and validate the values allowed by your application than to prevent all unknown values. For example, to limit the field value to all numbers, you need to write a routine that ensures that the input is all numbers. Do not write routines that search for non-numeric values and mark them as invalid when they are found.

Protect the file system

In July 2000, a Web site leaked customer data stored in files on the Web server. A visitor to the Web site used URL to view the file containing the data. Although the files are misplaced, this example emphasizes the importance of protecting the file system against attackers.

If the PHP application handles the file arbitrarily and contains variable data that the user can enter, carefully check the user input to ensure that the user cannot perform any inappropriate actions on the file system. Listing 1 shows an example of a PHP site that downloads an image with a specified name.

Listing 1. Download a file

The copy code is as follows:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.