开发相册系统过程中就有过这样的问题,因为没有交流好,出现重复工作问题,因为文档没有详细的说明而经常临时问对方。   <p>   近日对照存眷PHP的平安成绩,国际的很多开辟者,出格是PHP初学者,良多时分仅知足功效是不是完成,对平安的切磋浅尝辄止乃至漠然置之。如许的效果很严重,好比众多的SQL注入,乃至还有直接被下载数据库毗连文件的……此文译自Cal Evans宣布DevZone的系列专题:PHP Security Tip (平安建议/小诀窍) 固然不是最新文章,但提到的很多准绳性的器材和经典的做法依然是值得正视的,相对是值得一读的好文章,借此抛砖引玉,但愿能给人人一点匡助,创立优秀的平安认识,懂得需要的提防办法。 文中到场自己的了解和正文的中央已注明,初次翻译,不妥的地方接待指出。感谢
  PHP Security Tip #1
  Cal Evans (editor) 2 comments Thursday, March 1, 2007
  Looking for the security silver bullet? I’ve got bad news for you, there isn’t one. Security take an ongoing effort and a lot of little things instead of one big one. This month we are kicking off a new feature on DevZone, “Security Tip of the Week”. To kick this off right we will post one a day during March. Some of these tips will be specific things you can do, some will be general concepts you need to be aware of, all of them will be brief. So without further comment, here’s the first “Security Tip of the Week”.
  假如你在寻觅平安方面的银弹(在东方基督教的传说中,只要银弹击中间脏,才可以杀逝世恶魔(吸血鬼? 狼人)。在Fred Brooks关于软件工程的有名书本《人月神话里》和《没有银弹》中,把范围愈来愈大的软件开辟项目比作没法掌握的怪物,即但愿有一样手艺,可以像银弹完全杀逝世恶魔那样,完全处理这个成绩。译者注),我有一个坏动静要告知你,没有银弹。平安成绩需求延续不休的勉力和大批琐碎的任务而不是作为单一的大成绩来处理,这个月咱们将在DevZone入手下手一个新的专题,"一周平安小建议", 作为入手下手,在三月时代,咱们将天天宣布一个建议。有些建议将是一些你可以下手做的详细的工作,另外一些则是你需求注重的普通概念,一切的建议都很冗长,好了,闲话少说,上面入手下手咱们第一个"一周平安小建议"。
  PHP Security Tip #2
  Cal Evans (editor) 3 comments Friday, March 2, 2007
  Security by obscurity is no security at all. On the other hand you don't want to give away information about your site either. Today's tip is a simple one but one that is often overlooked in production environments.
  Make sure you do not display errors and potentially leak information about your site.
  Simply setting display_errors = Off in your php.ini of your production server will prevent you from leaking information that may give intruders hints to the structure of your system. By default, display_errors = On.
  You can find more information and error reporting options in the manual's Error Handling and Logging Functions Introduction section.
  利用埋没信息来包管平安不克不及从基本上起到平安感化(Security by obscurity is no security at all.),但另外一方面你也不想泄漏你的站点信息。
  只需复杂地在临盆办事器的php.ini 设置display_errors = Off ,就能够避免泄漏体系布局信息,让入侵者有隙可乘。默许的设置是:display_errors = On.
  PHP Security Tip #3
  Cal Evans (editor) 1 comment Monday, March 5, 2007
  Being Security conscious is a good thing but that alone won’t solve the problem. Developers have to be vigilant when it comes to security. Even then you can’t do it alone. Today’s Security tip reminds you of this.
  Since your application may be harboring security vulnerabilities that you have not been exposed to, third-party security software or services should be considered to help bring a fresh perspective and find overlooked weaknesses.
  As a developer you should have tools in your toolbox that will help you find security vulnerabilities in your applications. Tools like Chorizo will help you by performing automated scans of your code. Programs like PHPSecInfo will help you ensure that your environment is configured properly.
  Using tools like these and other scanning tools should not be the only thing you do to ensure security. They are however, an important part of the mix. Let trusted projects and vendors help you build and maintain secure applications.
  有平安认识是一件功德,但其自己不克不及处理成绩,在平安成绩上时开辟者必需时辰坚持小心,虽然那样仍是缺乏够的,明天的平安建议给你提 个醒:
  作为开辟者,你的东西箱应当有能匡助检测使用法式平安隐患方面的东西。像Chorizo那样的东西, 它能主动扫描你的代码来发明成绩,而像PHPSecInfo如许的法式可以确保情况的准确设置装备摆设。
  PHP Security Tip #4
  Cal Evans (editor) 7 comments Tuesday, March 6, 2007
  “Security through obscurity is no security at all.” so the adage goes. However, the flip side of that coin is, obscurity, when used as part of an overall strategy, is a good thing. There’s no sense in making things any easier for those with malicious intent. That brings us to our security tip for the day.
  Give files and folders with critical information non-default names.
  Don’t rely on obscure names to keep your application safe. You should always check permissions, test for vulnerabilities with testing tools and keep an eye on your log files for suspicious activity. When designing your applications and web sites though, don’t make it easy for bad people to do bad things. Don’t use default or common names for your files and directories.
  正如谚语所说," 利用埋没信息来包管平安不克不及从基本上起到平安感化(Security through obscurity is no security at all.)",但是在另外一方面,埋没信息,作为平安全体计谋的一局部倒是一件功德,为那些怀有不轨之心的家伙把工作变得复杂毫有意义,从这里引伸出咱们明天的平安小建议。
  PHP Security Tip #5
  Cal Evans (editor) 1 comment Wednesday, March 7, 2007
  PHP security is an ongoing mission requiring the programmer to think outside of the parameters of the application. It’s not enough these days to say in your mind “Does this do what I want it to do?” you also have to take into consideration “What else can people use it for and do I want to allow that?” Today’s Security tip is a proverb that all programmers should have to recite daily.
  Never trust the user.
  It’s a sad fact of life but users are evil. Users want nothing more than to find a way to exploit your application. As soon as you let your guard down and start thinking “I’m only selling small stuffed animals so how evil can my users really be?” you’ve lost the battle.
  Ok, maybe it’s not quite that dire but you do have to keep a wary eye on some of your users. That’s where the second proverb that all programmers should recite daily comes in.
  Filter Input, Escape Output
  Yes, FIEO (ok, it’s not as cool sounding as GIGO) is one of the mantras that all security minded programmers have live by.
  永久不要信任用户。(Never trust the user)
  过滤输出,编码输入(Filter Input, Escape Output)
  是的,FIFO(好吧,它的发音不像GIGO那末酷) ,它倒是一切具有平安认识的法式员赖以保存的魔咒之一。
  PHP Security Tip #6
  Cal Evans (editor) 5 comments Thursday, March 8, 2007
  The topic of writing secure applications in PHP covers more than just writing good PHP code. Most applications make use of a database of some kind. Many times, vulnerabilities that affect the entire application, are introduced when building the SQL code. Today's Tip of the Day deals with one easy solution developers can implement.
  When dealing with numbers in a SQL query, always cast.
  Even if you are filtering your input, a good and easy to implement safety measure is to cast all numeric values in the SQL statement. Take for example the following code.
  $myId = filter_var($_GET['id'],FILTER_VALIDATE_INT);
  $sql = 'SELECT * FROM table WHERE id = '.$myId;
  Even though you are applying the native PHP filters built into PHP 5.2, there is something additional you can do. Try this instead.
  $myId = filter_var($_GET['id'],FILTER_VALIDATE_INT );
  $sql = 'SELECT * FROM table WHERE id = '.(int)$myId;
  This final cast of the variable to an int removes any doubt about what will be passed to MySQL. The example above is purposefully simplified. In real-life situations, the code would be more complex and the chance for error much greater. By applying the final cast to in building the select statement, you are adding one more level of safety into your application.
  $myId = filter_var($_GET['id'],FILTER_VALIDATE_INT);
  $sql = 'SELECT * FROM table WHERE id = '.$myId;
  即使你利用PHP5.2内置的原生PHP过滤器(请参考最新PHP手册【某些旧的中文版本的PHP手册没有这个章节】Data Filtering一节,译者注),你还可以做一些其他的工作。尝尝换成上面的语句:
  $myId = filter_var($_GET['id'],FILTER_VALIDATE_INT );
  $sql = 'SELECT * FROM table WHERE id = '.(int)$myId;
  终究模子(final cast)里变量被投射成了整型(int) ,移除全体究竟向Mysql传递了甚么的困惑,以上例子成心地停止了简化,在实际情形下,代码会更庞杂,失足的时机也会更多,依附终究模子来创立select语句,你的代码多了一级平安回护。
给你的建议是,有些最常用的语句是需要记住的 比如if for while这些、其他的一般语句你只要知道有这个函数或者有这个功能就可以了,当你用的时候你可以凭借记忆搜索就可以了。

环境搭建好,当你看见你的浏览器输出“it works\\\\\\\"时你一定是喜悦的。在你解决问题的时候,我强烈建议多读php手册。

曾经犯过一个很低级的错误,我在文件命名的时候用了一个横线\\\\\\\'-\\\\\\\' 号,结果找了好几个小时的错误,事实是命名的时候 是不能用横线 \\\\\\\'-\\\\\\\' 的,应该用的是下划线\\\\\\\'_\\\\\\\' ;

因为blog这样的可以让你接触更多要学的知识,可以接触用到类,模板,js ,ajax

曾经犯过一个很低级的错误,我在文件命名的时候用了一个横线\\\\\\\'-\\\\\\\' 号,结果找了好几个小时的错误,事实是命名的时候 是不能用横线 \\\\\\\'-\\\\\\\' 的,应该用的是下划线\\\\\\\'_\\\\\\\' ;

