With respect to Java, C ++, C #, Python and other languages speaking, PHP has a greater advantage in terms of the mall, there is development of high efficiency, multi-frame selection, you can choose open source products and more, can greatly reduce development costs and speed up product iterations, For example, based on the development of open-source framework Thinkphp mall DSMall, DSHOP, DSKMS and so on, based on the development of such products can greatly speed up development, so that the project on line quickly, while Thinkphp framework can be directly upgraded.
Under normal circumstances we are in the process of their own development, the need to pay attention to the safety aspects of PHP knowledge, the following to say about the most common security problems.
1.SQL injection
SQL injection is one of the biggest threats to common website, if the database is vulnerable to SQL injection ***, you can get your entire database.
The current mainstream There are two solutions. The user input data or the escape packaged using statement. Typically packaged with a function used to filter the data submitted by the user.
2.XSS
XSS also known as CSS (Cross Site Script), cross-site scripting ***. It refers to a malicious Web pages *** who insert malicious html code, when a user browsing the page, embedded Web inside the html code will be executed, so as to achieve a particular purpose *** malicious users.
The correct approach is determined not to trust any input from the user, and filter out all the special characters in the input. This will eliminate most of the XSS ***
3.XSRF / CSRF CSRF
it is *** who through some technical means to trick users to visit the site and once certified to run some operations.
The most common defense is to generate a cryptographically secure string CSRF token, generally referred to as Token, when the page every time you build forms, Token Token will be placed in hidden fields in the form, Session than the token in the Token Yes, the verification is successful only by giving.
如果在这些TP框架中的开源商城系统中进行二次开发,您这边需要注意的应该有以下几点。1. Set the external public directory as the only access to the directory, do not put the resource file into the application directory;
2. Open the form token validation to avoid duplication of data submitted, CSRF can play a defensive role;
request variables 3. Use the framework provided by the acquisition method (Request class param method and input helper functions) instead of the native system variables get user input data;
4. for different application requirements provided default_filter filtering rule (default no filtering rules), common security filter function comprises stripslashes, htmlentities, htmlspecialchars strip_tags and the like, select the most appropriate method of filtering according to the service scenario;
5. the method of using a verification class or set the necessary authentication of the service data validation rules;