|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
开发相册系统过程中就有过这样的问题,因为没有交流好,出现重复工作问题,因为文档没有详细的说明而经常临时问对方。 <p> 近日对照存眷PHP的平安成绩,国际的很多开辟者,出格是PHP初学者,良多时分仅知足功效是不是完成,对平安的切磋浅尝辄止乃至漠然置之。如许的效果很严重,好比众多的SQL注入,乃至还有直接被下载数据库毗连文件的……此文译自Cal Evans宣布DevZone的系列专题:PHP Security Tip (平安建议/小诀窍) 固然不是最新文章,但提到的很多准绳性的器材和经典的做法依然是值得正视的,相对是值得一读的好文章,借此抛砖引玉,但愿能给人人一点匡助,创立优秀的平安认识,懂得需要的提防办法。 文中到场自己的了解和正文的中央已注明,初次翻译,不妥的地方接待指出。感谢
,原书共21个建议,这是翻译的上部。
PHP Security Tip #1
Cal Evans (editor) 2 comments Thursday, March 1, 2007
Looking for the security silver bullet? I’ve got bad news for you, there isn’t one. Security take an ongoing effort and a lot of little things instead of one big one. This month we are kicking off a new feature on DevZone, “Security Tip of the Week”. To kick this off right we will post one a day during March. Some of these tips will be specific things you can do, some will be general concepts you need to be aware of, all of them will be brief. So without further comment, here’s the first “Security Tip of the Week”.
Comment
MAILING LIST
1:17PM UTC · Rob [unregistered]
It can often be a good idea to join the relevant mailing list. You can find the announcement list for new releases of PHP below.
http://www.php.net/mailing-lists.php
------------------------------------------------------------------------------
PHP平安小建议1
假如你在寻觅平安方面的银弹(在东方基督教的传说中,只要银弹击中间脏,才可以杀逝世恶魔(吸血鬼? 狼人)。在Fred Brooks关于软件工程的有名书本《人月神话里》和《没有银弹》中,把范围愈来愈大的软件开辟项目比作没法掌握的怪物,即但愿有一样手艺,可以像银弹完全杀逝世恶魔那样,完全处理这个成绩。译者注),我有一个坏动静要告知你,没有银弹。平安成绩需求延续不休的勉力和大批琐碎的任务而不是作为单一的大成绩来处理,这个月咱们将在DevZone入手下手一个新的专题,"一周平安小建议", 作为入手下手,在三月时代,咱们将天天宣布一个建议。有些建议将是一些你可以下手做的详细的工作,另外一些则是你需求注重的普通概念,一切的建议都很冗长,好了,闲话少说,上面入手下手咱们第一个"一周平安小建议"。
评论:
邮件列表
介入相干的邮件列表是一个好主张,你可以鄙人列地址找到最新的PHP宣布旧事的通知布告列表!
http://www.php.net/mailing-lists.php
------------------------------------------------------------------------------
PHP Security Tip #2
Cal Evans (editor) 3 comments Friday, March 2, 2007
Security by obscurity is no security at all. On the other hand you don't want to give away information about your site either. Today's tip is a simple one but one that is often overlooked in production environments.
Make sure you do not display errors and potentially leak information about your site.
Simply setting display_errors = Off in your php.ini of your production server will prevent you from leaking information that may give intruders hints to the structure of your system. By default, display_errors = On.
You can find more information and error reporting options in the manual's Error Handling and Logging Functions Introduction section.
------------------------------------------------------------------------------
PHP平安建议#2
利用埋没信息来包管平安不克不及从基本上起到平安感化(Security by obscurity is no security at all.),但另外一方面你也不想泄漏你的站点信息。
明天的建议很复杂,但在临盆情况下却常常被无视。
务必不要显示毛病信息和站点的潜伏泄密信息
只需复杂地在临盆办事器的php.ini 设置display_errors = Off ,就能够避免泄漏体系布局信息,让入侵者有隙可乘。默许的设置是:display_errors = On.
在手册的毛病处置和日记函数引见一节,你可以找到更多信息和毛病呈报选项。
------------------------------------------------------------------------------
PHP Security Tip #3
Cal Evans (editor) 1 comment Monday, March 5, 2007
Being Security conscious is a good thing but that alone won’t solve the problem. Developers have to be vigilant when it comes to security. Even then you can’t do it alone. Today’s Security tip reminds you of this.
Since your application may be harboring security vulnerabilities that you have not been exposed to, third-party security software or services should be considered to help bring a fresh perspective and find overlooked weaknesses.
As a developer you should have tools in your toolbox that will help you find security vulnerabilities in your applications. Tools like Chorizo will help you by performing automated scans of your code. Programs like PHPSecInfo will help you ensure that your environment is configured properly.
Using tools like these and other scanning tools should not be the only thing you do to ensure security. They are however, an important part of the mix. Let trusted projects and vendors help you build and maintain secure applications.
------------------------------------------------------------------------------
PHP平安建议#3
有平安认识是一件功德,但其自己不克不及处理成绩,在平安成绩上时开辟者必需时辰坚持小心,虽然那样仍是缺乏够的,明天的平安建议给你提 个醒:
因为你的使用法式能够存在良多你不曾发明的平安隐患,利用第三方平安软件或办事可以匡助你对使用法式做一个明晰的透视,发明被无视的缺乏的地方。
作为开辟者,你的东西箱应当有能匡助检测使用法式平安隐患方面的东西。像Chorizo那样的东西, 它能主动扫描你的代码来发明成绩,而像PHPSecInfo如许的法式可以确保情况的准确设置装备摆设。
为了平安的包管,仅仅是利用这些东西或其他扫描东西仍是不敷的,但是它们是各类组合办法里很主要的一局部。值得依附的项目和供给商将有助你创立和保护平安的使用法式。
------------------------------------------------------------------------------
PHP Security Tip #4
Cal Evans (editor) 7 comments Tuesday, March 6, 2007
“Security through obscurity is no security at all.” so the adage goes. However, the flip side of that coin is, obscurity, when used as part of an overall strategy, is a good thing. There’s no sense in making things any easier for those with malicious intent. That brings us to our security tip for the day.
Give files and folders with critical information non-default names.
Don’t rely on obscure names to keep your application safe. You should always check permissions, test for vulnerabilities with testing tools and keep an eye on your log files for suspicious activity. When designing your applications and web sites though, don’t make it easy for bad people to do bad things. Don’t use default or common names for your files and directories.
Do you have a security tip you would like to share? A nugget of security truth you have gleaned through research or life’s school of hard knocks? Log-in and click the contribute button in the upper right hand corner.
------------------------------------------------------------------------------
PHP平安建议#4
正如谚语所说," 利用埋没信息来包管平安不克不及从基本上起到平安感化(Security through obscurity is no security at all.)",但是在另外一方面,埋没信息,作为平安全体计谋的一局部倒是一件功德,为那些怀有不轨之心的家伙把工作变得复杂毫有意义,从这里引伸出咱们明天的平安小建议。
不要妄图依附流畅的定名来坚持使用法式的平安,你应当常常反省权限,利用测试东西反省隐患,留意可疑举动的日记文件。虽然如斯,在设计使用和网站时,也不要为有不轨之心的人做好事供应简捷的时机。文件或目次不要利用默许的或通用的定名。
你是否是也有想要分享的平安小建议呢? 经由过程研讨失掉的黄金信条,仍是实际生涯里碰壁后的经历经验? 接待登录后点击右上角的奉献按钮和咱们分享。
------------------------------------------------------------------------------
PHP Security Tip #5
Cal Evans (editor) 1 comment Wednesday, March 7, 2007
PHP security is an ongoing mission requiring the programmer to think outside of the parameters of the application. It’s not enough these days to say in your mind “Does this do what I want it to do?” you also have to take into consideration “What else can people use it for and do I want to allow that?” Today’s Security tip is a proverb that all programmers should have to recite daily.
Never trust the user.
It’s a sad fact of life but users are evil. Users want nothing more than to find a way to exploit your application. As soon as you let your guard down and start thinking “I’m only selling small stuffed animals so how evil can my users really be?” you’ve lost the battle.
Ok, maybe it’s not quite that dire but you do have to keep a wary eye on some of your users. That’s where the second proverb that all programmers should recite daily comes in.
Filter Input, Escape Output
Yes, FIEO (ok, it’s not as cool sounding as GIGO) is one of the mantras that all security minded programmers have live by.
------------------------------------------------------------------------------
PHP平安建议#5
PHP平安是一个延续的义务,它请求法式员思虑使用法式参数里面的情形,如今,光是想着“它(使用法式)做了我想让它做的事吗?”你必需同时思索到"人们还能用它来干甚么和我答应他们如许做吗?"明天的平安建议是一个一切法式员必需天天背诵的格言:
永久不要信任用户。(Never trust the user)
用户是罪恶的,虽然就实际生涯来讲是很悲痛的工作,他们想方设法就为了破解你的使用法式,只需你漫不经心然后如许想着:“我不外是兜销一点喂饱了的小植物罢了(开辟使用法式的一个比方,译者注),我的用户真的能这么罪恶?”,那末你已输失落了这声战役。
好吧,或许工作还没这么可骇的境地,但你依然需求对一局部用户坚持小心之心。第二个一切法式员必需天天背诵的格言呈现了
过滤输出,编码输入(Filter Input, Escape Output)
是的,FIFO(好吧,它的发音不像GIGO那末酷) ,它倒是一切具有平安认识的法式员赖以保存的魔咒之一。
------------------------------------------------------------------------------
PHP Security Tip #6
Cal Evans (editor) 5 comments Thursday, March 8, 2007
The topic of writing secure applications in PHP covers more than just writing good PHP code. Most applications make use of a database of some kind. Many times, vulnerabilities that affect the entire application, are introduced when building the SQL code. Today's Tip of the Day deals with one easy solution developers can implement.
When dealing with numbers in a SQL query, always cast.
Even if you are filtering your input, a good and easy to implement safety measure is to cast all numeric values in the SQL statement. Take for example the following code.
$myId = filter_var($_GET['id'],FILTER_VALIDATE_INT);
$sql = 'SELECT * FROM table WHERE id = '.$myId;
Even though you are applying the native PHP filters built into PHP 5.2, there is something additional you can do. Try this instead.
$myId = filter_var($_GET['id'],FILTER_VALIDATE_INT );
$sql = 'SELECT * FROM table WHERE id = '.(int)$myId;
This final cast of the variable to an int removes any doubt about what will be passed to MySQL. The example above is purposefully simplified. In real-life situations, the code would be more complex and the chance for error much greater. By applying the final cast to in building the select statement, you are adding one more level of safety into your application.
------------------------------------------------------------------------------
PHP平安建议#6
编写平安的PHP使用法式的话题远不止编写优秀的PHP代码,大局部的使用城市如许或那样地用到数据库,良多时分,在创立SQL代码的过程当中,影响全部使用的平安隐患也钻了出去。
在SQL查询中处置数字时,务必停止投射(cast)
即便在过滤输出,一个复杂而好用的平安办法是在SQL语句中投射一切的数字类型值。以下列代码所示
$myId = filter_var($_GET['id'],FILTER_VALIDATE_INT);
$sql = 'SELECT * FROM table WHERE id = '.$myId;
即使你利用PHP5.2内置的原生PHP过滤器(请参考最新PHP手册【某些旧的中文版本的PHP手册没有这个章节】Data Filtering一节,译者注),你还可以做一些其他的工作。尝尝换成上面的语句:
$myId = filter_var($_GET['id'],FILTER_VALIDATE_INT );
$sql = 'SELECT * FROM table WHERE id = '.(int)$myId;
终究模子(final cast)里变量被投射成了整型(int) ,移除全体究竟向Mysql传递了甚么的困惑,以上例子成心地停止了简化,在实际情形下,代码会更庞杂,失足的时机也会更多,依附终究模子来创立select语句,你的代码多了一级平安回护。
<p> <P style="TEXT-INDENT: 2em">
给你的建议是,有些最常用的语句是需要记住的 比如if for while这些、其他的一般语句你只要知道有这个函数或者有这个功能就可以了,当你用的时候你可以凭借记忆搜索就可以了。 |
|