Hướng dẫn php security github
This document will list possible security threats to the Web application, explanation and preventive measures. Following are free software that will scan and list potential threats to the system as per the software coding standard and server configuration. Disable certain usernames from being used like 'test', 'test123', 'admin', and 'root' Use automated test code (Eg. PHP QuickCheck) Be mindful while creating project structure. Make sure to put upload dir outside of Webroot to prevent public access. Use Package or Library available in packagist.org instead of creating a new one. Maintain user login table (log in date, time, IP). Run the manual test in a certain period of time or after a significant update. Disable unused PHP module (eg. Put a .htaccess with the following content in upload directory to prevent the execution of PHP file. Instead, it will download the file. Always set uploaded file permission to a minimum or non-executable (0644). Scramble uploaded file names and extensions PHP BackdoorsPHP hidden scripts such as c99, c99madshell, and r57 for bypassing all authentication and access the server on demand are called PHP Backdoors script. This will give them almost every access like download, upload, control to the server, database, and mail server. To prevent this follow all preventive measure and search for those script in your server time to time. grep -iR 'c99' /var/www/html/ grep -iR 'r57' /var/www/html/ find /var/www/html/ -name \*.php -type f -print0 | xargs -0 grep c99 grep -RPn "(passthru|shell_exec|system|base64_decode|fopen|fclose|eval)" /var/www/html/ ResourcesFollow OWASP secure coding practices and their checklist for testing for any vulnerabilities ( https://www.owasp.org). |