javadth
پنج شنبه 22 تیر 1391, 13:55 عصر
امروز هم با 35 نکته اموزشی php امد
ولی نیاز به ترجمه داره و ضمنا خود این هم از یه زبان دیگه به english ترجمه شده
1- Do not save included files such as FileName.inc!
Use FileName.class.php or FileName.include.php or...
Or use an HTAccess file to determine the access levels:
<FilesMatch "\.(htaccess|inc)$">
Order Allow,Deny
Allow from localhost
Allow from 127.0.0.1
Deny from all
# Or
AddType application/x-httpd-php .inc .php .php3 .php4 .php5 .php6 .phphtml
AddHandler application/x-httpd-php .inc .php .php3 .php4 .php5 .php6 .phphtml
</FilesMatch>
Speed:
2- DONT open/close PHP tags for excessive.
Security & optimization:
3- Start your PHP classes with __construct function or ClassName function.
If you do not use class inheritance, Start classes and functions with the Final keyword.
final class MyClass
{
final public function MyClass()
{
# Codes...
}
final private function MyFunction()
{
# Codes...
}
}
Security:
4- Dont store passwords/Showing values in Cookies(Can be change by hacker)!
Security:
5- If you do not use object cloning, add a __clone function in your class(Thats safe):
class MyClass
{
public function __clone()
{
exit;
}
}
Security & speed & optimization:
6- Use $_REQUEST instead of $_GET & $_POST.(REQUEST covering post & get abilities/facilities)
Security & optimization:
7- DONT use SQLite for HEAVY(lol) softwares! Becuse:
No need for server processing! Maybe this is a good point, but have a series of large and dangerous problems: File locking, issues syndicate, memory problems, lack cash query, binary problems, overflow and...
Binary safe! For insert data as binary type, you must first Encode it. So, after a Select, you must Encode/Decode retrieved data(for x times!).
All tables gone locked in operations! So still/bad reading & writing!
Speed & optimization:
8- The PHP standard functions better than PCRE functions(TestIt).
(if you dont need expressions).
str_replace better than preg_replace.
stristr better than eregi.
socket functions better than curl functions.
stream functions better than curl & fopen functions.
and...
Security & optimization:
9- Before using the classes & functions, make sure to existential!
if(!extension_loaded('mysql')): exit('Extension MySQL not loaded.');
endif;
...
if(function_exists('mysql_real_escape_string')): mysql_real_escape_string(...);
else: mysql_escape_string(...);
endif;
...
if(function_exists('settype')): settype($Str_Input, 'string');
else: (string)$Str_Input;
endif;
Security & optimization:
10- alphabet coding static!
Between(correct):
<input name="InpTxt_Username" type="text" value="" maxlength="15" size="15" id="InpTxt_Username">
And(wrong):
<input type="text" name="InpTxt_Username" id="InpTxt_Username">
Very different, and instead abuse is.
Even between parameters CSS(wrong):
overflow: hidden; width: 250px; height: auto;
And(right):
width: 250px; height: auto; overflow: hidden;
Very different, and instead abuse is.
Also between(correct):
$_REQUEST['FormName'], $_REQUEST['SubmitButtonName']...
And(wrong):
[CODE]$_GET['FormName'], $_GET['SubmitButtonName']...
Very different and abuse is in place.
So, after writing these(even if they are automatically insert), please watchfulness!
Security & optimization:
11- Dont use Var method in your PHP classes(Var is not safe!). Var == public(in PHP 5)! use protected/public/private methods instead of var.
Speed & optimization:
12- Use self:: and parent:: instead of ClassName::.
Security:
13- Common vulnerability!
/index.php?Module=News&Action=Show&Identity=1&Valid=True...
Can be:
/index.php?Module=../!!!!!&Action=Show&Identity=-1'!!!!!&Valid=True...
So careful! Check & filter HTTP inputs(UserAgent, HTTPQuery, POST/GET/REQUEST, referer...)!
Security:
14- Set permission of all files to readonly(Also index.html or index.php in empty folders!).
Security & optimization:
15- Dont use short tags like <? and ?> in your codes(short_open_tag). Becuse ttis option is Off! in most servers.
Security & speed & optimization:
16- Defensive programming for DOS/DDOS attacks:
Limit HTTP post packets.
Limit body requests.
Limit file upload size.
Use HTTP/Output compression.
Optimize Client-side codes/files.
Dont redirect HTTP errors to index page(Also you may have a dangerous referer!).
Use standard image formats(JPE, JPG, JPEG...).
Handle repetitions & duplications(Forms, URL, Postback...).
and...
Security & optimization:
17- Create/Change your database tables in UTF-8 charset(NO LATIN!).
charset= 'utf8' collate= 'utf8_general_ci
Software size & optimization:
18- Dont put bad comments or excessive comments like ####################################... or /////////////////////////////////...(This is web programming not desktop programming)!
Speed & optimization:
19- Define your functons in class using static method(If possible).
Speed & optimization:
20- Dont use print statement in web applications!
Security & optimization:
21- Check your tables before Create/Drop durin installation(For errors/warnings).
drop table if exists `xxxxx`;
create table if not exists `xxxxx`;
Security:
22- Set a password for database(Dont leave it default).
Security & speed & optimization:
23- Options proposed for PHP.ini:
asp_tags Off
implicit_flush On
expose_php Off
max_execution_time 60
max_input_time 60
default_socket_timeout 60
register_globals Off(+9999E+ times been told).
session.auto_start 0
DATABASE.allow_persistent Off
DATABASE.max_persistent 1
set DATABASE.default_user
set DATABASE.default_password
Session.hash_function 1(SHA1)
mbstring.func_overload to 0(http://bugs.php.net/bug.php?id=30766).
Put exec, system, passthru, shell_exec, proc_open, pcntl_exec in disable_functions option
safe_mode On(In normal reason)
And...
Software size & optimization:
24- Clear all index.php & index.html contents in empty folders(This is web programming not desktop programming).
Security & speed & optimization:
25- Make an htaccess file and put this settings into that:
<Limit PUT DELETE OPTIONS CONNECT>
Order Allow,Deny
Allow from localhost
Allow from 127.0.0.1
Deny from all
</Limit>
<Limit POST GET HEAD>
Order Allow,Deny
Allow from all
Deny From "255.255.255.255"
Deny From "0.0.0.0"
Deny From "1.1.1.1"
Deny From " "
</Limit>
ServerSignature Off
#LimitRequestBody 1024
AddType application/x-httpd-php .php .php3 .php4 .php5 .php6 .phphtml
AddHandler application/x-httpd-php .php .php3 .php4 .php5 .php6 .phphtml
DirectoryIndex index.html index.php index.php3 index.php4 index.php5 index.php6 index.phphtml
Options All -Indexes -ExecCGI -MultiViews
<FilesMatch "\.(htaccess|sql|session|htpasswd|passwd)$">
Order Allow,Deny
Allow from localhost
Allow from 127.0.0.1
Deny from all
</FilesMatch>
# Hmmm?!...
<Files "robots.txt">
Order Allow,Deny
Allow from localhost
Allow from 127.0.0.1
Deny from all
</Files>
#AcceptPathInfo On
<IfModule security_module>
SecFilterEngine DynamicOnly
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 1 255
SecServerSignature ""
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "concat"
SecFilter "union"
SecFilter "select.+from"
SecFilter "select+*+from"
</IfModule>
Security & speed & optimization:
26- If you have a multi language application, dont put all language arrays/variables into a one file!
You can do this: global.php, index.php, login.php, menu.php and...
Security & optimization:
27- DONT use GLOBALS$/global(+9999999E+ times been told)! This is scope. Unset not supported. Not safe. not seucre. not *****!
Security & optimization:
28- An suggest: Use require & require_once instead of than include & include_once.
Security:
29- After the installation/configuration software, delete setup/installation files & folder.
Speed:
30- Use switch command instead of multi-conditional(if, elseif...).
Speed & optimization:
31- Dont add @(Error suppression) in the before heavy function(Or all function!).
Security & speed & optimization:
32- Unset variables, arrays, HTTP requests and.. after usage. Plz!
unset($variable, $array...);
# ...
unset($_SERVER['QUERY_STRING'], $_SERVER['REQUEST_URI'], ...)
# ...
$obj_myclass= new myclass();
# uages & codes...
$obj_myclass= null;
Speed & optimization:
33- Put your short PHP codes into a html file. Not PHP file.
Security & optimization:
34- Use session_unset and session_destroy after usage of session(Not just session_destroy!).
35- Finaly, check size, resolution and... uploaded images!
Otherwise your file can be:
<?php
@system($_REQUEST['Command']);
?>
or
<?php
worm, cookiestealer...
?>
or
...
ولی نیاز به ترجمه داره و ضمنا خود این هم از یه زبان دیگه به english ترجمه شده
1- Do not save included files such as FileName.inc!
Use FileName.class.php or FileName.include.php or...
Or use an HTAccess file to determine the access levels:
<FilesMatch "\.(htaccess|inc)$">
Order Allow,Deny
Allow from localhost
Allow from 127.0.0.1
Deny from all
# Or
AddType application/x-httpd-php .inc .php .php3 .php4 .php5 .php6 .phphtml
AddHandler application/x-httpd-php .inc .php .php3 .php4 .php5 .php6 .phphtml
</FilesMatch>
Speed:
2- DONT open/close PHP tags for excessive.
Security & optimization:
3- Start your PHP classes with __construct function or ClassName function.
If you do not use class inheritance, Start classes and functions with the Final keyword.
final class MyClass
{
final public function MyClass()
{
# Codes...
}
final private function MyFunction()
{
# Codes...
}
}
Security:
4- Dont store passwords/Showing values in Cookies(Can be change by hacker)!
Security:
5- If you do not use object cloning, add a __clone function in your class(Thats safe):
class MyClass
{
public function __clone()
{
exit;
}
}
Security & speed & optimization:
6- Use $_REQUEST instead of $_GET & $_POST.(REQUEST covering post & get abilities/facilities)
Security & optimization:
7- DONT use SQLite for HEAVY(lol) softwares! Becuse:
No need for server processing! Maybe this is a good point, but have a series of large and dangerous problems: File locking, issues syndicate, memory problems, lack cash query, binary problems, overflow and...
Binary safe! For insert data as binary type, you must first Encode it. So, after a Select, you must Encode/Decode retrieved data(for x times!).
All tables gone locked in operations! So still/bad reading & writing!
Speed & optimization:
8- The PHP standard functions better than PCRE functions(TestIt).
(if you dont need expressions).
str_replace better than preg_replace.
stristr better than eregi.
socket functions better than curl functions.
stream functions better than curl & fopen functions.
and...
Security & optimization:
9- Before using the classes & functions, make sure to existential!
if(!extension_loaded('mysql')): exit('Extension MySQL not loaded.');
endif;
...
if(function_exists('mysql_real_escape_string')): mysql_real_escape_string(...);
else: mysql_escape_string(...);
endif;
...
if(function_exists('settype')): settype($Str_Input, 'string');
else: (string)$Str_Input;
endif;
Security & optimization:
10- alphabet coding static!
Between(correct):
<input name="InpTxt_Username" type="text" value="" maxlength="15" size="15" id="InpTxt_Username">
And(wrong):
<input type="text" name="InpTxt_Username" id="InpTxt_Username">
Very different, and instead abuse is.
Even between parameters CSS(wrong):
overflow: hidden; width: 250px; height: auto;
And(right):
width: 250px; height: auto; overflow: hidden;
Very different, and instead abuse is.
Also between(correct):
$_REQUEST['FormName'], $_REQUEST['SubmitButtonName']...
And(wrong):
[CODE]$_GET['FormName'], $_GET['SubmitButtonName']...
Very different and abuse is in place.
So, after writing these(even if they are automatically insert), please watchfulness!
Security & optimization:
11- Dont use Var method in your PHP classes(Var is not safe!). Var == public(in PHP 5)! use protected/public/private methods instead of var.
Speed & optimization:
12- Use self:: and parent:: instead of ClassName::.
Security:
13- Common vulnerability!
/index.php?Module=News&Action=Show&Identity=1&Valid=True...
Can be:
/index.php?Module=../!!!!!&Action=Show&Identity=-1'!!!!!&Valid=True...
So careful! Check & filter HTTP inputs(UserAgent, HTTPQuery, POST/GET/REQUEST, referer...)!
Security:
14- Set permission of all files to readonly(Also index.html or index.php in empty folders!).
Security & optimization:
15- Dont use short tags like <? and ?> in your codes(short_open_tag). Becuse ttis option is Off! in most servers.
Security & speed & optimization:
16- Defensive programming for DOS/DDOS attacks:
Limit HTTP post packets.
Limit body requests.
Limit file upload size.
Use HTTP/Output compression.
Optimize Client-side codes/files.
Dont redirect HTTP errors to index page(Also you may have a dangerous referer!).
Use standard image formats(JPE, JPG, JPEG...).
Handle repetitions & duplications(Forms, URL, Postback...).
and...
Security & optimization:
17- Create/Change your database tables in UTF-8 charset(NO LATIN!).
charset= 'utf8' collate= 'utf8_general_ci
Software size & optimization:
18- Dont put bad comments or excessive comments like ####################################... or /////////////////////////////////...(This is web programming not desktop programming)!
Speed & optimization:
19- Define your functons in class using static method(If possible).
Speed & optimization:
20- Dont use print statement in web applications!
Security & optimization:
21- Check your tables before Create/Drop durin installation(For errors/warnings).
drop table if exists `xxxxx`;
create table if not exists `xxxxx`;
Security:
22- Set a password for database(Dont leave it default).
Security & speed & optimization:
23- Options proposed for PHP.ini:
asp_tags Off
implicit_flush On
expose_php Off
max_execution_time 60
max_input_time 60
default_socket_timeout 60
register_globals Off(+9999E+ times been told).
session.auto_start 0
DATABASE.allow_persistent Off
DATABASE.max_persistent 1
set DATABASE.default_user
set DATABASE.default_password
Session.hash_function 1(SHA1)
mbstring.func_overload to 0(http://bugs.php.net/bug.php?id=30766).
Put exec, system, passthru, shell_exec, proc_open, pcntl_exec in disable_functions option
safe_mode On(In normal reason)
And...
Software size & optimization:
24- Clear all index.php & index.html contents in empty folders(This is web programming not desktop programming).
Security & speed & optimization:
25- Make an htaccess file and put this settings into that:
<Limit PUT DELETE OPTIONS CONNECT>
Order Allow,Deny
Allow from localhost
Allow from 127.0.0.1
Deny from all
</Limit>
<Limit POST GET HEAD>
Order Allow,Deny
Allow from all
Deny From "255.255.255.255"
Deny From "0.0.0.0"
Deny From "1.1.1.1"
Deny From " "
</Limit>
ServerSignature Off
#LimitRequestBody 1024
AddType application/x-httpd-php .php .php3 .php4 .php5 .php6 .phphtml
AddHandler application/x-httpd-php .php .php3 .php4 .php5 .php6 .phphtml
DirectoryIndex index.html index.php index.php3 index.php4 index.php5 index.php6 index.phphtml
Options All -Indexes -ExecCGI -MultiViews
<FilesMatch "\.(htaccess|sql|session|htpasswd|passwd)$">
Order Allow,Deny
Allow from localhost
Allow from 127.0.0.1
Deny from all
</FilesMatch>
# Hmmm?!...
<Files "robots.txt">
Order Allow,Deny
Allow from localhost
Allow from 127.0.0.1
Deny from all
</Files>
#AcceptPathInfo On
<IfModule security_module>
SecFilterEngine DynamicOnly
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 1 255
SecServerSignature ""
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "concat"
SecFilter "union"
SecFilter "select.+from"
SecFilter "select+*+from"
</IfModule>
Security & speed & optimization:
26- If you have a multi language application, dont put all language arrays/variables into a one file!
You can do this: global.php, index.php, login.php, menu.php and...
Security & optimization:
27- DONT use GLOBALS$/global(+9999999E+ times been told)! This is scope. Unset not supported. Not safe. not seucre. not *****!
Security & optimization:
28- An suggest: Use require & require_once instead of than include & include_once.
Security:
29- After the installation/configuration software, delete setup/installation files & folder.
Speed:
30- Use switch command instead of multi-conditional(if, elseif...).
Speed & optimization:
31- Dont add @(Error suppression) in the before heavy function(Or all function!).
Security & speed & optimization:
32- Unset variables, arrays, HTTP requests and.. after usage. Plz!
unset($variable, $array...);
# ...
unset($_SERVER['QUERY_STRING'], $_SERVER['REQUEST_URI'], ...)
# ...
$obj_myclass= new myclass();
# uages & codes...
$obj_myclass= null;
Speed & optimization:
33- Put your short PHP codes into a html file. Not PHP file.
Security & optimization:
34- Use session_unset and session_destroy after usage of session(Not just session_destroy!).
35- Finaly, check size, resolution and... uploaded images!
Otherwise your file can be:
<?php
@system($_REQUEST['Command']);
?>
or
<?php
worm, cookiestealer...
?>
or
...