尽管 PHP是最流行的脚本语言，但用它编写的应用程序很容易受到攻击。作为开发者，你有责任保护你的PHP代码安全和应用程序免受潜在黑客的攻击。

PHP安全最佳实践

为了创建可能是最安全的PHP网站并且保护您的敏感数据，请从这些技巧开始。

始终牢记安全性

作为开发人员，我们倾向于使用我们不完全了解的工具，并且承受着在优先考虑功能性的最后期限之前承受的压力。 问题是我们最终将安全漏洞引入了我们的应用程序。

框架和库在解决这些问题上起到了很大的作用，正确使用这些框架提供的元素可以大大降低遭受攻击的风险。

明显的缺点是，框架本身有时容易受到攻击，当在框架中发现漏洞时，它会影响使用它编写的各种应用程序。 了解您正在使用的工具并了解OWASP十大漏洞以及如何保护应用程序免受攻击至关重要。 一些主要问题包括：

• 身份验证失败：身份验证和会话管理功能的实现不正确。
• 跨站点脚本（XSS）：未经充分验证就将不可信数据存储在Web应用程序中。
• 访问控制损坏：无法强制限制用户访问特定数据。
• CSRF：一种攻击，迫使最终用户在当前经过身份验证的Web应用程序上执行不需要的操作。

OWASP网站(https://www.owasp.org/index.php/Main_Page) 提供了完整的风险列表和预防建议。

Have the Right PHP Infrastructure In Place

Whatever patches and fixes you establish in your system, they won’t do much good if your infrastructure isn’t properly set up. Your infrastructure is likely made up of various tools, containers, load balancers, database servers, cache stores, and more. If they aren’t configured appropriately, if credentials are mismanaged, or if systems are not kept up to date, unauthorized users may gain access to restricted information and data exchanged between the networks could be compromised.

Setting up your network also involves being aware of threats and setting firewalls and other protective measures to minimize the likelihood of them coming to fruition. Some of the risks involve:

• Unpatched security vulnerabilities
• Lack of a comprehensive credential management strategy
• Abuse of user account privileges (IBM found in 2016 that 60% of attacks are carried by insiders)
• Lack of encryption

维护 PHP 代码

PHP不断得到改进，每个新版本都增加了安全性改进。 因此，为了你 PHP 项目的安全，更新到最新版本的 PHP 将使你能得到最大收益。使用较旧的版本意味着一段时间后（通常是两年后）你将停止获得支持，并且你将无法获得对应用程序重要的安全补丁和错误修复。

如前所述，用PHP编写的代码具有固有的脆弱性。黑客总是有足够的时间，金钱和资源找到自己的方法来攻击。这意味着你的代码必须尽可能地做防护。 随着版本更新的到来，需要对代码进行必要的更改，以增加保护层并减少遭受攻击的机会。

Educate and Train All Employees

While total prevention is impossible, understanding how your systems work and their vulnerabilities will allow you to not only mitigate them, but respond to any attacks that do occur before they become worse. Educate your team on common threats, as well as proper PHP development and deployment habits that will keep your web applications secure — not just today, but in the long term.    

Keeping data secure should be an organization-wide effort. After all, it’s not just technical attacks that can occur; social engineering can take place in various forms as well. Social engineering involves manipulation on the part of an attacker to gain access to confidential and sensitive information. Hackers may contact an employee outside of your IT department, via phone or email, to request access to certain internal materials by impersonating someone else. Through formal security training, you can educate all members of your staff on the appropriate actions to take in such situations. 

长期支持的PHP安全的附加信息

保持PHP Web应用程序安全是一项持续的工作。Zend Server 提供了扩展enterprise PHP support，包含 24/7/365 电话支持，bug修复和PHP安全更新。询问报价并与专家交谈以了解更多信息。