PHP教程之[翻译]PHP平安小建议( 下)
PHP和HTML混合编程应该不成问题,在这期间,你完全可以让PHP给你算算 一加一等于几,然后在浏览器输出,不要觉得幼稚,这的确是跟阿波罗登月一样,你打的是一小段代码,但是对于你的编程之路,可是迈出了一大步啊!兴奋吧?但是不得不再给你泼点冷水,您还是菜鸟一个。 近日对照存眷PHP的平安成绩,国际的很多开辟者,出格是PHP初学者,良多时分仅知足功效是不是完成,对平安的切磋浅尝辄止乃至漠然置之。如许的效果很严重,好比众多的SQL注入,乃至还有直接被下载数据库毗连文件的……此文译自Cal Evans宣布DevZone的系列专题:PHP Security Tip (平安建议/小诀窍) 固然不是最新文章,但提到的很多准绳性的器材和经典的做法依然是值得正视的,相对是值得一读的好文章,借此抛砖引玉,但愿能给人人一点匡助,创立优秀的平安认识,懂得需要的提防办法。 文中到场自己的了解和正文的中央已注明,初次翻译,不妥的地方接待指出。感谢 ! ——By Falcon,原书共21个建议,这是翻译的下部。
[翻译]PHP平安小建议(上)
------------------------------------------------------------------------------
PHP Security Tip #12
Cal Evans (editor) 1 comment Friday, March 16, 2007
We’ve talked about filtering, we’ve talked about validating, we’ve talked about filtering again. Filtering inputs into your application is an important concept and the pre-cursor to many good security practices. However, once you have the input filtered and validated you can’t simply sit back and relax. You have to stay vigilant when programming to ensure security throughout your application.
Filtering input gives some developers a false sense of security. They assume that since they;ve filtered the input, there’s no reason to worry. That may be true in some simple instances but in most complex applications, you have to constantly be aware of what you are using the input for. This is never more true than when using user input in the eval() command. That brings us to today’s tip:
Think carefully before using eval()
By using user-inputted values in an eval(), you are potentially giving a malicious user a gateway to your server. Even if your interface forces them to chose only predefined options, the call to your script can be spoofed and your script can potentially be used to execute commands on demand by people who want to do bad things.
Use eval() sparingly. When you do have to use it, make sure you filter and then validate the input. If there are other ways to accomplish the task then consider using them instead.
=C=
------------------------------------------------------------------------------
PHP平安建议#12
咱们议论过过滤,议论过验证,让咱们又再来会商一下过滤。
过滤用户输出是个很主要的不雅念,也良多优秀平安习气的前导(pre-cursor),但是,经由了过滤输出和验证处置以后,你还不克不及坐上去歇一会。在贯串全部使用法式平安的编码中,你必需坚持小心。
过滤输出给某些开辟者一种平安错觉,他们会果断地以为,既然已过滤了输出 ,那就应当没甚么来由再忧虑了吧。能够在一些复杂的实例里的确如斯,但在大范围的庞杂使用中,你必需不休留意你利用该输出来做甚么。特别是在利用eval()号令下利用用户输出时,由此入手下手咱们明天的建议:
在利用eval()前请慎重。
在eval()里利用用户输出值时,你有能够给为歹意利用者进入你的办事器翻开了大门。即便你的接口只答应他们选择预界说的选项,挪用剧本时能够被停止了棍骗(spoofed)。你的剧本能够潜伏地被使用来履行他们的恳求号令,以此停止一些不良行动的。
慎重地利用eval() ,当你必需利用它时,务必对用户输出经由过滤和验证处置。假如还有其他办法完成不异的义务,那末应当思索用它们来取代。
------------------------------------------------------------------------------
PHP Security Tip #13
Cal Evans (editor) 4 comments Tuesday, March 20, 2007
Security is a mindset, not just something you do. It colors your application design as well as your coding. However, you also need to constantly monitor your production environment. That’s where selecting the right tool comes into play. I know I’ve mentioned PHPSecInfo before but I think this tool is important enough to warrant it’s own post.
PHPSecInfo is a great tool to use to keep an eye on your production environment. It was written by Ed Finkler of CERIAS, the Center for Education and Research in Information Assurance and Security at Purdue University. It is officially a project of the PHP Security Consortium. Here’s what the PHPSecInfo homepage has to say about itself.
PHPSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.
If you need more info, here’s the link to a short interview with Ed talking about PHPSecInfo. Here is another link to the latest release notice for version 0.2.
As with all security measures, by itself it’s not the silver bullet. Used properly though, it can be part of a comprehensive solution.
------------------------------------------------------------------------------
PHP平安建议#13
平安是一种思惟,而不只是一些你要做的工作,它会令使用法式的设计和编码减色(colors)很多。但是你还需求不休地监控临盆情况,这是选择准确的东西投入任务的中央。我之前提到过PHPSecInfo ,我以为这个东西十分主要乃至于我把它作为自力的一节来引见。
PHPSecInfo 是一个用来监督临盆情况的壮大东西,它是CERIAS的Ed Finkler编写的,CREIAS是Purdue大学信息平安与保证教导研讨中间的简称。(the Center for Education and Research in Information Assurance and Security at Purdue University.),是PHP平安协会的官方项目(PHPSecInfo威武!),这是PHPSecInfo主页对其一些需要的申明:
PHPSecInfo供应一个等价的phpinfo()函数来呈报PHP情况的平安信息,并供应改善建议,它目标不是代替平安开辟的手艺,也不合错误法式停止任何模式的编码或审核使用。但在利用多层面的平安手腕时倒是一个很有效的东西。
假如想懂得更多信息,上面是一段Ed议论PHPSecInfo的小采访的链接,还有别的一个链接,是最新宣布的0.2版本的公告。
http://devzone.zend.com/node/view/id/1099
http://devzone.zend.com/node/view/id/1735
像一切平安办法一样,(PHPSecInfo) 就其自己,并不是银弹(见建议#1的译注 ),然而恰当利用,将会成为综合处理计划的一局部。
------------------------------------------------------------------------------
PHP Security Tip #14
Cal Evans (editor) 2 comments Wednesday, March 21, 2007
Almost any application running PHP on the back-end uses web technologies for it’s front end. Many developers who think hard on PHP security, don’t spend a thought on front-end security for their application. Here’s a tip to think long and hard about when building your HTML and JavaScript.
Any data inside of a cookie can be potentially seen by others- restrict to a minimum
It’s a sad fact on today’s web but there are bad people out there. They want nothing more than for your application to leak sensitive data so they can exploit it. Make sure you look at the whole picture when evaluating the security of your application. This is very important when looking at what information you persist on the front end.
------------------------------------------------------------------------------
PHP平安建议#14
差不多一切PHP法式都是运转PHP作为后端,利用web手艺作为前端,良多开辟者对PHP平安思虑了良多,却历来没想过它们前端使用的平安。这里的建议是:当你机关HTML和JavaScript时,你应当思虑得更久远和深切些。
任何坚持在Cookie外面的信息都有能够被其别人所看到——尽可能把这些信息掌握到起码
明天的web界有一个很悲痛的现实,有些不怀好意的人出没其间,他们只想让你的使用法式泄漏敏感信息,然后破解它,当你评价使用法式的平安时,务必察看全局。十分主要的一点是看看你在前端保存了些甚么。
------------------------------------------------------------------------------
PHP Security Tip #15
Cal Evans (editor) 5 comments Friday, March 23, 2007
As developers, most of us are very messy. I’ve worked on countless projects and at each either run across or left a trail of diagnostic files laying around. (info.php, test.php, doMe.php, etc.) These tiles, if found by someone with nefarious intent, can leak valuable information about your system.
Today’s Security tip is:
Don’t forget to purge temporary system diagnostic files.
It would be a shame to spend all that time securing your application only to leave info.php or worse yet, a “quick piece of code” in test.php that could potentially leak dangerous information about your system. Don’t help the ad guys any more than you have to.
=C=
p.s. Got a security tip? Post it! If it’s good enough we’ll share it with everybody else. Just log-in and click the contribute link in the upper right corner.
------------------------------------------------------------------------------
PHP平安建议#15
作为开辟者,咱们大局部的人都长短常邋遢的,我为有数项目任务过。每次都能发明或留下一堆额定的诊断文件,随地乱放。像(info.php, test.php ,doMe.php等),这些文件,假如被某个怀有不良妄图的人发明,将很有能够泄漏体系的有效信息。
明天的平安建议是
不要健忘排除一时的体系诊断文件
在清算伤害你的使用的这些文件时你能够会感应忸捏,看到那些留上去的info.php或更糟的,在test.php“一段疾速代码片段",它们城市潜伏地泄漏关于体系的风险信息,不要再助那些发告白的家伙(ad guys)落井下石了。
p.s. 你也有平安方面的小建议,把它宣布出来吧,能和别人分享是一件再好不外的事了,只需登录并点击右上角的奉献按钮。
------------------------------------------------------------------------------
PHP Security Tip #16
sascha_leib 1 comment Monday, March 26, 2007
Keep Your Framework Up to Date
I have posted it before as comment, but since I believe that this is a very important issue, it might be worth a ‘security tip’ of its own:
Make sure any framework you are using is updated regularly.
This is especially important if you are working on a ‘one-shot’ client project. It is important to think about who is going to maintain the site if (or rather: when) a security patch is issued for any of the 3rd party files.
Usually, these sites are placed on a shared hosting site, and that means the provider is responsible for keeping PHP, database system, web server, etc. up to date – but they will probably not maintain the frameworks you have installed.
Using frameworks is generally a good idea – not only because they take a lot of the work away from you, but also because any potential security issue will (usually) quickly be dealt with.
On the other side, this means that security issues in these frameworks are very well documented – and it is all to easy for a malicious hacker to search for old versions of the framework in use, and exploit these problems.
I have seen many, many sites which are still using extremely old and outdated files – simply because there is nobody there to update it. And I’m talking about old PEAR installs (with known issues with the ‘Mail’ component) and worse!
------------------------------------------------------------------------------
PHP 平安建议 #16
坚持框架的更新
我已在之前的评论中宣布过了,但鉴于我信任它长短常主要的话题,它有能够值得自力作为一个“平安建议”
务必常常更新任何你利用的框架。
假如你任务在"一次性"的客户项目上,这点特别主要。很关头的是要思索到,假如(或当)第三方软件补钉宣布的时分,由谁去保护这个站点。
凡是这些网站是放在同享主机的站点下面的,这意味着供给商有义务为PHP,数据库体系和Web办事器坚持更新。但他们不太能够保护你装置的框架。
普通来讲利用框架是一件功德,不但由于它可觉得削减大批的任务,并且任何潜伏的平安成绩将(凡是)会失掉疾速处置。
另外一方面,这也意味着这些框架的平安成绩很好地被文档化了,同时也便利了不怀好意的黑客搜刮体系利用框架
的旧版本并经由过程这些平安成绩停止爆破。
<p> 我看过良多良多的网站依然在利用一些十分老的、过时的文件,仅仅是由于没有人去更新它,还在利用旧版 的PEAR 库(个中广为人知的Mail组件平安成绩) 的网站会更糟! <P style="TEXT-INDENT: 2em">
建议大家买一本书,而不光是在网上看一些零碎的资料,一本书毕竟会讲的系统一些,全面一些,而且印刷的书不受电脑的限制,但是建议在看书的时候最好旁边有电脑,这样可以很及时地上机实践。 你很难利用原理去编写自己的代码。对于php来说,系统的学习我认为还是很重要的,当你有一定理解后,你可你针对某种效果研究,我想那时你不会只是复制代码的水平了。 学好程序语言,多些才是王道,写两个小时代码的作用绝对超过看一天书,这个我是深有体会(顺便还能练打字速度)。 当留言板完成的时候,下步可以把做1个单人的blog程序,做为目标, 写的比较杂,因为我也是个新手,不当至于大家多多指正。 使用zendstdio 写代码的的时候,把tab 的缩进设置成4个空格是很有必要的 其实也不算什么什么心得,在各位大侠算是小巫见大巫了吧,望大家不要见笑,若其中有错误的地方请各位大虾斧正。 曾经犯过一个很低级的错误,我在文件命名的时候用了一个横线\\\\\\\'-\\\\\\\' 号,结果找了好几个小时的错误,事实是命名的时候 是不能用横线 \\\\\\\'-\\\\\\\' 的,应该用的是下划线\\\\\\\'_\\\\\\\' ; 使用zendstdio 写代码的的时候,把tab 的缩进设置成4个空格是很有必要的 说点我烦的低级错误吧,曾经有次插入mysql的时间 弄了300年结果老报错,其实mysql的时间是有限制的,大概是到203X年具体的记不清啦,囧。 微软最近出的新字体“微软雅黑”,虽然是挺漂亮的,不过firefox支持的不是很好,所以能少用还是少用的好。 建数据库表的时候,int型要输入长度的,其实是个摆设的输入几位都没影响的,只要大于4就行,囧。 建数据库表的时候,int型要输入长度的,其实是个摆设的输入几位都没影响的,只要大于4就行,囧。 使用 jquery 等js框架的时候,要随时注意浏览器的更新情况,不然很容易发生框架不能使用。 当留言板完成的时候,下步可以把做1个单人的blog程序,做为目标, 对于初学者来说不推荐去拿钱买的。当然如果一个网站你经常去用,而且里面的资料也比较有用,最好还是买个会员比较好,毕竟那些也是别人的工作成果。 当留言板完成的时候,下步可以把做1个单人的blog程序,做为目标, 没接触过框架的人,也不用害怕,其实框架就是一种命名规范及插件,学会一个框架其余的框架都很好上手的。 爱上php,他也会爱上你。 开发工具也会慢慢的更专业,每个公司的可能不一样,但是zend studio是个大伙都会用的。
页:
[1]