This problem is very deep
Security, don’t take it seriously, because there are many web security issues, not just PHP coding, there are many security issues that need to be dealt with, such as server vulnerabilities, Opening the port will lead to hacking, which is normal.
I can only talk about some security protection during my PHP development process and the work requirements when developing in a network security company:
1. The most basic, the api interface provided must be Configure https.
2. When the API returns response information, message encryption should be used as much as possible, such as high-digit RSA encrypted content.
3. When receiving callback open interfaces, try to use callback blacklist and whitelist, such as adding IP whitelist to allow access, or IP blacklist to prohibit access.
4. Do not trust user input. Input information must be coded, escaped, filtered, and processed using frameworks and plug-ins. For example, MySQL queries must be parameter bound, and if there are display problems, xss attacks must be avoided. will be filtered.
5. Authorization operations, setting thresholds for error restrictions, restricting access beyond the threshold, such as the most basic login functions.
6. Common weak password problems lead to copper leakage. High-strength passwords should be set to avoid program explosion.
7. For file upload issues, file type, suffix, format, and file directory permission settings should be strictly verified to avoid file upload vulnerabilities leading to malicious code or webshell attacks.
8. Separate the development environment from the production environment. Do not enable debugging on the production environment. Update in time and use framework vulnerability patches. For example, PHP domestically commonly used tp series has occasionally had vulnerabilities in the past (I mostly use tp5.. ..), and do not use the latest framework but choose the most stable one.
Finally, please note that whether it is verification or filtering, whether it is performed once on the client or on the server, verification and verification must be performed again.