How to make a highly secure PHP website, summary of security issues that need to be paid attention to when making a website-PHP Tutorial-php.cn

Home

PHP Tutorial

How to make a highly secure PHP website, summary of security issues that need to be paid attention to when making a website

伊谢尔伦

Jun 29, 2017 am 11:15 AM

php make safety

Everyone knows that PHP is currently the most popular web application programming language. But like other scripting languages, PHP also has several dangerous security holes. So in this tutorial, we'll take a look at a few practical tips to help you avoid some common PHP security issues.

Tip 1: Use appropriate error reports

Generally during the development process, many programmers always forget to make program error reports, which is extremely Big mistake, because proper error reporting is not only the best debugging tool, but also an excellent security vulnerability detection tool, which allows you to find as many problems as possible before you actually put the application online.
Of course there are many ways to enable error reporting. For example, in php.in Configuration file you can set to enable

Start error reporting at runtime
error_reporting(E_ALL);

Disable error reporting
error_reporting(0);

Tip 2: Not using PHP’s Weak attribute

There are several PHP properties that need to be set to OFF. Generally, they exist in PHP4, but their use is not recommended in PHP5. Especially in PHP6, these attributes were removed.

Register global variables
When register_globals is set to ON, it is equivalent to setting Environment, GET, POST, COOKIE or Server variables are defined as global variables. At this time, you don't need to write $_POST['username'] to get the form variable 'username'. You only need '$username' to get this variable.
Then you must be thinking that since setting register_globals to ON has such convenient benefits, why not use it? Because if you do this it will bring about a lot of security issues, and it may also conflict with local variable names.
For example, take a look at the following code:

if( !empty( $_POST[‘username&#39;] ) && $_POST[‘username&#39;] == ‘test123′ && !empty( $_POST[‘password&#39;] ) && $_POST[‘password&#39;] == “pass123″ )
{
$access = true;
}

Copy after login

If register_globals is set to ON during operation, then the user only needs to transmit access=1 in a query string to get the PHP script running Anything anymore.
Disable global variables in .htaccess

php_flag register_globals 0

Copy after login

Disable global variables in php.ini

register_globals = Off

Copy after login

Disable magic like magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase Quotes
Set in .htaccess file

php_flag magic_quotes_gpc 0
php_flag magic_quotes_runtime 0

Copy after login

Set in php.ini

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

Copy after login

Tip 3: Validate user input

Of course you You can also validate user input. First you must know the data type you expect the user to input. In this way, you can be prepared on the browser side to prevent users from malicious attacks on you.

Tip 4: Avoid cross-site scripting attacks by users

In web applications, it is simple to accept user input in the form and then feedback the results. When accepting user input, it would be very dangerous to allow HTML format input, because this would also allow JavaScript to intrude in unpredictable ways and execute directly. Even if there is only one such vulnerability, cookie data may be stolen and the user's account may be stolen.

Tip 5: Prevent SQL injection attacks

PHP basically does not provide any tools to protect your database, so when you connect to the database, You can use the following mysqli_real_escape_string function.

$username = mysqli_real_escape_string( $GET[‘username&#39;] );
mysql_query( “SELECT * FROM tbl_employee WHERE username = &#39;”.$username.“‘”);

Copy after login

The above is the detailed content of How to make a highly secure PHP website, summary of security issues that need to be paid attention to when making a website. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

How to fix KB5055523 fails to install in Windows 11?

3 weeks ago By DDD

How to fix KB5055518 fails to install in Windows 10?

3 weeks ago By DDD

Roblox: Dead Rails - How To Tame Wolves

1 months ago By DDD

Strength Levels for Every Enemy & Monster in R.E.P.O.

1 months ago By 尊渡假赌尊渡假赌尊渡假赌

Roblox: Grow A Garden - Complete Mutation Guide

2 weeks ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Java Tutorial

1662

CakePHP Tutorial

1419

Laravel Tutorial

1312

PHP Tutorial

1262

C# Tutorial

1235

Related knowledge

How do you parse and process HTML/XML in PHP? Feb 07, 2025 am 11:57 AM

This tutorial demonstrates how to efficiently process XML documents using PHP. XML (eXtensible Markup Language) is a versatile text-based markup language designed for both human readability and machine parsing. It's commonly used for data storage an

Explain JSON Web Tokens (JWT) and their use case in PHP APIs. Apr 05, 2025 am 12:04 AM

JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,

Explain late static binding in PHP (static::). Apr 03, 2025 am 12:04 AM

Static binding (static::) implements late static binding (LSB) in PHP, allowing calling classes to be referenced in static contexts rather than defining classes. 1) The parsing process is performed at runtime, 2) Look up the call class in the inheritance relationship, 3) It may bring performance overhead.

PHP Program to Count Vowels in a String Feb 07, 2025 pm 12:12 PM

A string is a sequence of characters, including letters, numbers, and symbols. This tutorial will learn how to calculate the number of vowels in a given string in PHP using different methods. The vowels in English are a, e, i, o, u, and they can be uppercase or lowercase. What is a vowel? Vowels are alphabetic characters that represent a specific pronunciation. There are five vowels in English, including uppercase and lowercase: a, e, i, o, u Example 1 Input: String = "Tutorialspoint" Output: 6 explain The vowels in the string "Tutorialspoint" are u, o, i, a, o, i. There are 6 yuan in total

What are PHP magic methods (__construct, __destruct, __call, __get, __set, etc.) and provide use cases? Apr 03, 2025 am 12:03 AM

What are the magic methods of PHP? PHP's magic methods include: 1.\_\_construct, used to initialize objects; 2.\_\_destruct, used to clean up resources; 3.\_\_call, handle non-existent method calls; 4.\_\_get, implement dynamic attribute access; 5.\_\_set, implement dynamic attribute settings. These methods are automatically called in certain situations, improving code flexibility and efficiency.

PHP and Python: Comparing Two Popular Programming Languages Apr 14, 2025 am 12:13 AM

PHP and Python each have their own advantages, and choose according to project requirements. 1.PHP is suitable for web development, especially for rapid development and maintenance of websites. 2. Python is suitable for data science, machine learning and artificial intelligence, with concise syntax and suitable for beginners.

PHP in Action: Real-World Examples and Applications Apr 14, 2025 am 12:19 AM

PHP is widely used in e-commerce, content management systems and API development. 1) E-commerce: used for shopping cart function and payment processing. 2) Content management system: used for dynamic content generation and user management. 3) API development: used for RESTful API development and API security. Through performance optimization and best practices, the efficiency and maintainability of PHP applications are improved.

PHP: A Key Language for Web Development Apr 13, 2025 am 12:08 AM

PHP is a scripting language widely used on the server side, especially suitable for web development. 1.PHP can embed HTML, process HTTP requests and responses, and supports a variety of databases. 2.PHP is used to generate dynamic web content, process form data, access databases, etc., with strong community support and open source resources. 3. PHP is an interpreted language, and the execution process includes lexical analysis, grammatical analysis, compilation and execution. 4.PHP can be combined with MySQL for advanced applications such as user registration systems. 5. When debugging PHP, you can use functions such as error_reporting() and var_dump(). 6. Optimize PHP code to use caching mechanisms, optimize database queries and use built-in functions. 7

See all articles