PHP security question?

I just wanted to know what are some basic PHP security techniques I should use when creating a web page that ac开发者_如何转开发cepts articles?

I'm fairly new to PHP and was wondering what will hold the fort down until I'm a security expert?

There are two fronts to consider when accepting user-generated text that will later be displayed.

First off, you need to protect your database from injection attacks. There's a simple PHP function for this: mysql_real_escape_string() will usually suffice to protect your database from injection when passing this string in to store as a field value.

From there, you have to be careful about your display, as a user who is allowed to upload HTML code can do nasty things to other users when that code gets displayed. If you're doing plaintext articles, you can simply htmlspecialchars() the resulting text. (you'll also probably want to convert newlines to
tags.) If you're using a formatting solution, such as the Markdown engine used on this site, those solutions will usually provide HTML sanitization as a function of the engine, but be sure to read the documentation and make sure.

Oh, make sure you're also verifying your GET/POST variables used to submit the articles. That goes without saying, and the verification performed is going to need to be tailored to what your site is doing with its logic.

This is to broad, maybe you should try to narrow it a bit.

What kind of security? For passwords? Do you want to restrict some stuff? SQL Injection? HTML Injection? Cross domain security?

Well, as mentioned in the other answers, there are a number of different fronts in which your PHP scripts can be compromised.

Here are just a couple:

• SQL Injection
• Cross site scripting

There are a number of ways to deal with each. Here are some things to look at:

• Suhosin
• eval()

There is a lot to know, and you should start as soon as you can.

For one, if you accept articles (and probably use a WYSIWYG and are accepting HTML), use something to parse the content and strip out things that could leave you vulnerable to XSS and the like.

An example is HTML Purifier.

It might be wise to start by using a framework like Drupal or CakePHP. That way you can both learn from the way they've implemented security and take advantage of the fact that it's already been done. The learning curve is steep enough without having to roll your own authentication mechanisms etc.

maybe two tips could help you get more secure websites

• create two users in your database, read only account to make only selects and counts, and write account when you have to do updates, inserts or deletes.

• when you have to insert into database or delete, sanitize inputs, use mysql prepared statements or assert values that arrive via post or get this way :

  if(!empty($_GET["integer_like_id_value"]){
      $integer_id_value = (int)$_GET["integer_like_id_value"];
  }else{
      // that stuff seems not to be legit, die application, log error ? whatever
      die();
  }
  

Top 7 PHP Security Blunders

When your project is ready for public usage, it is generally a good idea to set error_reporting(0);

It won't provide more security, but it makes it lot harder (usually) for bad guys to find possible security problems with your site.