Useful functions to provide secure PHP application
2014-11-11 19:49
218 查看
security is a very important aspect of programming. There are many functions or modules in any kind of real programming language providing security functionalities In modern websites, we may often get inputs form users all around the world.There is a famous
saying which says that never trust user input. So in web programming languages, we will often see functions which will guarantee the security of the data input from users. Today we will cover some of these functions in the most famous open source language
- PHP.
In PHP, there are few useful functions which is very handy for preventing your website from various attacks like SQL Injection Attack , XSS attack etc. Let’s check few useful functions available in PHP to tighten the security in your project. But note that
this is not a complete list, it just list of functions which I found useful for using in your project.
1) mysql_real_escape_string() - This function is very useful for preventing from SQL
Injection Attack in PHP . This function adds backslashes to the special characters like quote , double quote , backslashes to make sure that the user supplied input are sanitized before using it to query. But, make sure that you are connected to the database
to use this function.
Currently mysql_real_escape_string() is not recommended to be used anymore, all new applications should use libraries like PDO to perform database operations, we can use prepared statement to refrain away from the SQL injections.
1)mysql_real_escape_string() 这个函数对于预防PHP中的SQL注入攻击很有帮助。这个函数给特殊字符添加反斜杠,比如引号、双引号,反斜杠可以确保用户提交到数据在被用于查询之前是干净的。但是,确保你使用这个函数连接上数据库。
现在不在提倡使用mysql_real_escape_string(),所有新成熟用户使用封装好的库去执行数据库操作,比如PDO,我们可以使用预制好的申明来避免SQL注入。
2) addslashes() – This function works similar as mysql_real_escape_string(). But make sure that you don’t use this function when “magic_quotes_gpc” is “on” in php.ini.
When “magic_quotes_gpc” is on in php.ini then single quote(‘) and double quotes (“) are escaped with trailing backslashes in GET, POST and COOKIE variables. You can check it using the function “get_magic_quotes_gpc()” function available in PHP.
2)addslashes()-这个函数功能和mysql_real_escape_string()类似。但是确保在php.ini中已经启用magic_quotes_gpc的时候你没有使用这个函数。当在php.ini中开始magic_quotes_gpc时,GET、POST和cookie中的变量里面的单引号和双引号都会使用反斜杠转译。你可以通过使用get_magic_quotes_gpc()函数的值来检查该功能。
3) htmlentities() – This function is very useful for to sanitize the user input. This function converts the special characters to their html entities. Such
as, when the user enters the characters like “<” then it will be converted into it’s HTML entities < so that preventing from XSS and SQL injection attack.
3)htmlentities()-这个函数时用来过滤用户输入值的。该函数将特殊字符转译成相应的html实体。比如,当用户输入字符“<”时,该函数会转译成对应的HTML实体<,从而避免的XSS和SQL注入攻击。
4) htmlspecialchars() -- Certain characters have special significance in HTML, and should be represented
by HTML entities if they are to preserve their meanings. This function returns a string with these conversions made. For example, '&' (ampersand) becomes '&'
4)htmlspecialchars() -- 特定的字符在HTML中有特殊的意义,为了维护字符原意应该将它们解释成HTML实体。这个函数在处理后返回一个string类型数据。比如'&' (ampersand) 变成'&'
5) strip_tags() – This function removes all the HTML, JavaScript and PHP tag from the string. But you can also allow particular tags to be entered by user
using the second parameter of this function.
5)strip_tags() - 这个函数移除字符串中所有的HTML、javascript和PHP标签。但是你可以通过设置该函数的第二个参数来允许特定标签输入。
6) md5() – Some developers store plain password in the database which is not good for security point of view. This function generates md5 hash of 32 characters
of the supplied string. The hash generated from md5() is not reversible i.e can’t be converted to the original string.
This function now is not considered as safe because there are open databases which can be used to reverse checking the plaintext of a hashed value. You can find a list of MD5 hash database here.
6)md5() - 一些开发者将密码明文的存在数据库里,这样不安全。这个函数将目标字符串生成32位的md5 hash值。通过md5函数生成的hash值是不可逆的,就是说不能被还原成初始字符串。
该函数现在不被认为是安全的,因为有开放的彩虹表用于还原hash值,你可以在这儿找到一个开放的hash数据库。
7) sha1() – This function is similar to md5 but it uses different algorithm and generates 40 characters hash of a string compared to 32 characters by md5().
And one more note is that don't forget to put the salt, otherwise your life will be salty.
7)sha1() - 这个函数与md5类似,但是它是用不同的算法生成了40位的hash值,与md5生成的32位不同。另外需要提醒,别忘记使用salt,否则你会遇到麻烦。
8) intval() – Please don’t laugh. I know this is not a security function, it is function which gets the integer value from the variable. But you can use this
function to secure your PHP coding. Well, this function is most frequently used when you want to parse some value of integers such as ids, ages etc.
8)intval() - 请别觉得好笑。我这个这不是个安全函数。这个函数时用户从变量中取得整型的。但是你可以使用它提高PHP编码的安全。这个函数常用于需要解析的整数值,比如ids,年龄等等
不断学习,如果有不对的地方,请帮忙指出
saying which says that never trust user input. So in web programming languages, we will often see functions which will guarantee the security of the data input from users. Today we will cover some of these functions in the most famous open source language
- PHP.
In PHP, there are few useful functions which is very handy for preventing your website from various attacks like SQL Injection Attack , XSS attack etc. Let’s check few useful functions available in PHP to tighten the security in your project. But note that
this is not a complete list, it just list of functions which I found useful for using in your project.
1) mysql_real_escape_string() - This function is very useful for preventing from SQL
Injection Attack in PHP . This function adds backslashes to the special characters like quote , double quote , backslashes to make sure that the user supplied input are sanitized before using it to query. But, make sure that you are connected to the database
to use this function.
Currently mysql_real_escape_string() is not recommended to be used anymore, all new applications should use libraries like PDO to perform database operations, we can use prepared statement to refrain away from the SQL injections.
1)mysql_real_escape_string() 这个函数对于预防PHP中的SQL注入攻击很有帮助。这个函数给特殊字符添加反斜杠,比如引号、双引号,反斜杠可以确保用户提交到数据在被用于查询之前是干净的。但是,确保你使用这个函数连接上数据库。
现在不在提倡使用mysql_real_escape_string(),所有新成熟用户使用封装好的库去执行数据库操作,比如PDO,我们可以使用预制好的申明来避免SQL注入。
2) addslashes() – This function works similar as mysql_real_escape_string(). But make sure that you don’t use this function when “magic_quotes_gpc” is “on” in php.ini.
When “magic_quotes_gpc” is on in php.ini then single quote(‘) and double quotes (“) are escaped with trailing backslashes in GET, POST and COOKIE variables. You can check it using the function “get_magic_quotes_gpc()” function available in PHP.
2)addslashes()-这个函数功能和mysql_real_escape_string()类似。但是确保在php.ini中已经启用magic_quotes_gpc的时候你没有使用这个函数。当在php.ini中开始magic_quotes_gpc时,GET、POST和cookie中的变量里面的单引号和双引号都会使用反斜杠转译。你可以通过使用get_magic_quotes_gpc()函数的值来检查该功能。
3) htmlentities() – This function is very useful for to sanitize the user input. This function converts the special characters to their html entities. Such
as, when the user enters the characters like “<” then it will be converted into it’s HTML entities < so that preventing from XSS and SQL injection attack.
3)htmlentities()-这个函数时用来过滤用户输入值的。该函数将特殊字符转译成相应的html实体。比如,当用户输入字符“<”时,该函数会转译成对应的HTML实体<,从而避免的XSS和SQL注入攻击。
4) htmlspecialchars() -- Certain characters have special significance in HTML, and should be represented
by HTML entities if they are to preserve their meanings. This function returns a string with these conversions made. For example, '&' (ampersand) becomes '&'
4)htmlspecialchars() -- 特定的字符在HTML中有特殊的意义,为了维护字符原意应该将它们解释成HTML实体。这个函数在处理后返回一个string类型数据。比如'&' (ampersand) 变成'&'
5) strip_tags() – This function removes all the HTML, JavaScript and PHP tag from the string. But you can also allow particular tags to be entered by user
using the second parameter of this function.
5)strip_tags() - 这个函数移除字符串中所有的HTML、javascript和PHP标签。但是你可以通过设置该函数的第二个参数来允许特定标签输入。
6) md5() – Some developers store plain password in the database which is not good for security point of view. This function generates md5 hash of 32 characters
of the supplied string. The hash generated from md5() is not reversible i.e can’t be converted to the original string.
This function now is not considered as safe because there are open databases which can be used to reverse checking the plaintext of a hashed value. You can find a list of MD5 hash database here.
6)md5() - 一些开发者将密码明文的存在数据库里,这样不安全。这个函数将目标字符串生成32位的md5 hash值。通过md5函数生成的hash值是不可逆的,就是说不能被还原成初始字符串。
该函数现在不被认为是安全的,因为有开放的彩虹表用于还原hash值,你可以在这儿找到一个开放的hash数据库。
7) sha1() – This function is similar to md5 but it uses different algorithm and generates 40 characters hash of a string compared to 32 characters by md5().
And one more note is that don't forget to put the salt, otherwise your life will be salty.
7)sha1() - 这个函数与md5类似,但是它是用不同的算法生成了40位的hash值,与md5生成的32位不同。另外需要提醒,别忘记使用salt,否则你会遇到麻烦。
8) intval() – Please don’t laugh. I know this is not a security function, it is function which gets the integer value from the variable. But you can use this
function to secure your PHP coding. Well, this function is most frequently used when you want to parse some value of integers such as ids, ages etc.
8)intval() - 请别觉得好笑。我这个这不是个安全函数。这个函数时用户从变量中取得整型的。但是你可以使用它提高PHP编码的安全。这个函数常用于需要解析的整数值,比如ids,年龄等等
不断学习,如果有不对的地方,请帮忙指出
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 9 Useful PHP Functions and Features You Need to Know
- VizualPV3D (VizualPV3D is a Flash Visualization Application that provides a GUI interface to create and manipulate objects in 3
- [eZ publish] How to use standard PHP functions?
- Useful functions in PHP
- How to Create a Secure Login Script in PHP and MySQL
- 解决Mysql报错:PHP Warning: mysql_connect(): mysqlnd cannot connect to MySQL 4.1+ using the old insecure authentication.
- 10+ Useful JavaScript Regular Expression Functions to improve your web applications efficiency
- How to Create a Secure Login Script in PHP and mySQL
- PHP连接Mysql报错 Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /Application
- UnityException: Can not sign application Unable to sign application; please provide passwords!
- 10+ Useful JavaScript Regular Expression Functions to improve your web applications efficiency
- 9 useful php functions
- PHP: How to easily provide JSON and JSONP
- 解决Mysql报错:PHP Warning: mysql_connect(): mysqlnd cannot connect to MySQL 4.1+ using the old insecure authentication.
- How to invoke console application in Perl ?(Reship)
- How to debug Java Web Application?
- How To Create an ASP.NET Application from Multiple Projects for Team Development
- some useful functions of c++
- PHP and ASP.NET Go Head-to-Head【PHP与ASP.NET对对碰】
- Adding XP Visual Styles to Your Visual Basic Application