[翻译]PHP安全小建议(上)
近日比较关注PHP的安全问题,国内的许多开发者,特别是PHP初学者,很多时候仅满足功能是否实现,对安全的探讨浅尝辄止甚至漠不关心。这样的后果很严重,比如泛滥的SQL注入,甚至还有直接被下载数据库连接文件的……此文译自Cal Evans发表DevZone的系列专题:PHP Security Tip (安全建议/小窍门) 虽然不是最新文章,但提到的许多原则性的东西和经典的做法仍然是值得重视的,绝对是值得一读的好文章,借此抛砖引玉,希望能给大家一点帮助,建立良好的安全意识,了解必要的防范措施。 文中加入本人的理解和注释的地方已经注明,首次翻译,不当之处欢迎指出。谢谢
,原书共21个建议,这是翻译的上部。
PHP Security Tip #1
Cal Evans (editor) | 2 comments | Thursday, March 1, 2007
Looking for the security silver bullet? I’ve got bad news for you, there isn’t one. Security take an ongoing effort and a lot of little things instead of one big one. This month we are kicking off a new feature on DevZone, “Security Tip of the Week”. To kick this off right we will post one a day during March. Some of these tips will be specific things you can do, some will be general concepts you need to be aware of, all of them will be brief. So without further comment, here’s the first “Security Tip of the Week”.
Comment
MAILING LIST
1:17PM UTC · Rob [unregistered]
It can often be a good idea to join the relevant mailing list. You can find the announcement list for new releases of PHP below.
http://www.php.net/mailing-lists.php
------------------------------------------------------------------------------
PHP安全小建议1
如果你在寻找安全方面的银弹(在西方基督教的传说中,只有银弹击中心脏,才可以杀死恶魔(吸血鬼? 狼人)。在Fred Brooks关于软件工程的著名书籍《人月神话里》和《没有银弹》中,把规模越来越大的软件开发项目比作无法控制的怪物,即希望有一样技术,能够像银弹彻底杀死恶魔那样,彻底解决这个问题。译者注),我有一个坏消息要告诉你,没有银弹。安全问题需要持续不断的努力和大量琐碎的工作而不是作为单一的大问题来解决,这个月我们将在DevZone开始一个新的专题,"一周安全小建议", 作为开始,在三月期间,我们将每天发布一个建议。有些建议将是一些你可以动手做的具体的事情,另一些则是你需要注意的一般概念,所有的建议都很简短,好了,闲话少说,下面开始我们第一个"一周安全小建议"。
评论:
邮件列表
参与相关的邮件列表是一个好主意,你可以在下列地址找到最新的PHP发布新闻的公告列表!
http://www.php.net/mailing-lists.php
------------------------------------------------------------------------------
PHP Security Tip #2
Cal Evans (editor) | 3 comments | Friday, March 2, 2007
Security by obscurity is no security at all. On the other hand you dont want to give away information about your site either. Todays tip is a simple one but one that is often overlooked in production environments.
Make sure you do not display errors and potentially leak information about your site.
Simply setting display_errors = Off in your php.ini of your production server will prevent you from leaking information that may give intruders hints to the structure of your system. By default, display_errors = On.
You can find more information and error reporting options in the manuals Error Handling and Logging Functions Introduction section.
------------------------------------------------------------------------------
PHP安全建议#2
使用隐藏信息来保证安全不能从根本上起到安全作用(Security by obscurity is no security at all.),但另一方面你也不想泄露你的站点信息。
今天的建议很简单,但在生产环境下却经常被忽视。
务必不要显示错误信息和站点的潜在泄密信息
只要简单地在生产服务器的php.ini 设置display_errors = Off ,就可以防止泄露系统结构信息,让入侵者有机可乘。默认的设置是:display_errors = On.
在手册的错误处理和日志函数介绍一节,你可以找到更多信息和错误报告选项。
------------------------------------------------------------------------------
PHP Security Tip #3
Cal Evans (editor) | 1 comment | Monday, March 5, 2007
Being Security conscious is a good thing but that alone won’t solve the problem. Developers have to be vigilant when it comes to security. Even then you can’t do it alone. Today’s Security tip reminds you of this.
Since your application may be harboring security vulnerabilities that you have not been exposed to, third-party security software or services should be considered to help bring a fresh perspective and find overlooked weaknesses.
As a developer you should have tools in your toolbox that will help you find security vulnerabilities in your applications. Tools like Chorizo will help you by performing automated scans of your code. Programs like PHPSecInfo will help you ensure that your environment is configured properly.
Using tools like these and other scanning tools should not be the only thing you do to ensure security. They are however, an important part of the mix. Let trusted projects and vendors help you build and maintain secure applications.
------------------------------------------------------------------------------
PHP安全建议#3
有安全意识是一件好事,但其本身不能解决问题,在安全问题上时开发者必须时刻保持警惕,尽管那样还是不足够的,今天的安全建议给你提 个醒:
由于你的应用程序可能存在很多你未曾发现的安全隐患,使用第三方安全软件或服务可以帮助你对应用程序做一个清晰的透视,发现被忽视的不足之处。
作为开发者,你的工具箱应该有能帮助检测应用程序安全隐患方面的工具。像Chorizo那样的工具, 它能自动扫描你的代码来发现问题,而像PHPSecInfo这样的程序可以确保环境的正确配置。
为了安全的保证,仅仅是使用这些工具或者其他扫描工具还是不够的,然而它们是各种组合措施里很重要的一部分。值得依赖的项目和供应商将有助你建立和维护安全的应用程序。
------------------------------------------------------------------------------
PHP Security Tip #4
Cal Evans (editor) | 7 comments | Tuesday, March 6, 2007
“Security through obscurity is no security at all.” so the adage goes. However, the flip side of that coin is, obscurity, when used as part of an overall strategy, is a good thing. There’s no sense in making things any easier for those with malicious intent. That brings us to our security tip for the day.
Give files and folders with critical information non-default names.
Don’t rely on obscure names to keep your application safe. You should always check permissions, test for vulnerabilities with testing tools and keep an eye on your log files for suspicious activity. When designing your applications and web sites though, don’t make it easy for bad people to do bad things. Don’t use default or common names for your files and directories.
Do you have a security tip you would like to share? A nugget of security truth you have gleaned through research or life’s school of hard knocks? Log-in and click the contribute button in the upper right hand corner.
------------------------------------------------------------------------------
PHP安全建议#4
正如谚语所说," 使用隐藏信息来保证安全不能从根本上起到安全作用(Security through obscurity is no security at all.)",然而在另一方面,隐藏信息,作为安全整体战略的一部分却是一件好事,为那些怀有不轨之心的家伙把事情变得简单毫无意义,从这里引申出我们今天的安全小建议。
不要企图依赖晦涩的命名来保持应用程序的安全,你应该经常检查权限,使用测试工具检查隐患,留心可疑活动的日志文件。尽管如此,在设计应用和网站时,也不要为有不轨之心的人做坏事提供简便的机会。文件或目录不要使用默认的或者通用的命名。
你是不是也有想要分享的安全小建议呢? 通过研究得到的黄
补充:综合编程 , 安全编程 ,
