[翻译]PHP安全小建议( 下)
近日比较关注PHP的安全问题,国内的许多开发者,特别是PHP初学者,很多时候仅满足功能是否实现,对安全的探讨浅尝辄止甚至漠不关心。这样的后果很严重,比如泛滥的SQL注入,甚至还有直接被下载数据库连接文件的……此文译自Cal Evans发表DevZone的系列专题:PHP Security Tip (安全建议/小窍门) 虽然不是最新文章,但提到的许多原则性的东西和经典的做法仍然是值得重视的,绝对是值得一读的好文章,借此抛砖引玉,希望能给大家一点帮助,建立良好的安全意识,了解必要的防范措施。 文中加入本人的理解和注释的地方已经注明,首次翻译,不当之处欢迎指出。谢谢 ! ——By Falcon
,原书共21个建议,这是翻译的下部。
[翻译]PHP安全小建议(上)
------------------------------------------------------------------------------
PHP Security Tip #12
Cal Evans (editor) | 1 comment | Friday, March 16, 2007
We’ve talked about filtering, we’ve talked about validating, we’ve talked about filtering again. Filtering inputs into your application is an important concept and the pre-cursor to many good security practices. However, once you have the input filtered and validated you can’t simply sit back and relax. You have to stay vigilant when programming to ensure security throughout your application.
Filtering input gives some developers a false sense of security. They assume that since they;ve filtered the input, there’s no reason to worry. That may be true in some simple instances but in most complex applications, you have to constantly be aware of what you are using the input for. This is never more true than when using user input in the eval() command. That brings us to today’s tip:
Think carefully before using eval()
By using user-inputted values in an eval(), you are potentially giving a malicious user a gateway to your server. Even if your interface forces them to chose only predefined options, the call to your script can be spoofed and your script can potentially be used to execute commands on demand by people who want to do bad things.
Use eval() sparingly. When you do have to use it, make sure you filter and then validate the input. If there are other ways to accomplish the task then consider using them instead.
=C=
------------------------------------------------------------------------------
PHP安全建议#12
我们谈论过过滤,谈论过验证,让我们又再来讨论一下过滤。
过滤用户输入是个很重要的观念,也很多良好安全习惯的前导(pre-cursor),然而,经过了过滤输入和验证处理之后,你还不能坐下来歇一会。在贯穿整个应用程序安全的编码中,你必须保持警惕。
过滤输入给某些开发者一种安全错觉,他们会武断地认为,既然已经过滤了输入 ,那就应该没什么理由再担心了吧。可能在一些简单的实例里确实如此,但在大规模的复杂应用中,你必须不断留心你使用该输入来做什么。尤其是在使用eval()命令下使用用户输入时,由此开始我们今天的建议:
在使用eval()前请谨慎。
在eval()里使用用户输入值时,你有可能给为恶意使用者进入你的服务器打开了大门。即使你的接口只允许他们选择预定义的选项,调用脚本时可能被进行了欺骗(spoofed)。你的脚本可能潜在地被利用来执行他们的请求命令,以此进行一些不良行为的。
谨慎地使用eval() ,当你必须使用它时,务必对用户输入经过过滤和验证处理。如果还有其他方法完成相同的任务,那么应该考虑用它们来代替。
------------------------------------------------------------------------------
PHP Security Tip #13
Cal Evans (editor) | 4 comments | Tuesday, March 20, 2007
Security is a mindset, not just something you do. It colors your application design as well as your coding. However, you also need to constantly monitor your production environment. That’s where selecting the right tool comes into play. I know I’ve mentioned PHPSecInfo before but I think this tool is important enough to warrant it’s own post.
PHPSecInfo is a great tool to use to keep an eye on your production environment. It was written by Ed Finkler of CERIAS, the Center for Education and Research in Information Assurance and Security at Purdue University. It is officially a project of the PHP Security Consortium. Here’s what the PHPSecInfo homepage has to say about itself.
PHPSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.
If you need more info, here’s the link to a short interview with Ed talking about PHPSecInfo. Here is another link to the latest release notice for version 0.2.
As with all security measures, by itself it’s not the silver bullet. Used properly though, it can be part of a comprehensive solution.
------------------------------------------------------------------------------
PHP安全建议#13
安全是一种思想,而不只是一些你要做的事情,它会令应用程序的设计和编码增色(colors)不少。然而你还需要不断地监控生产环境,这是选择正确的工具投入工作的地方。我以前提到过PHPSecInfo ,我认为这个工具非常重要以致于我把它作为独立的一节来介绍。
PHPSecInfo 是一个用来监视生产环境的强大工具,它是CERIAS的Ed Finkler编写的,CREIAS是Purdue大学信息安全与保障教育研究中心的简称。(the Center for Education and Research in Information Assurance and Security at Purdue University.),是PHP安全协会的官方项目(PHPSecInfo威武!),这是PHPSecInfo主页对其一些必要的说明:
PHPSecInfo提供一个等价的phpinfo()函数来报告PHP环境的安全信息,并提供改进建议,它目的不是取代安全开发的技术,也不对程序进行任何形式的编码或审核应用。但在使用多层面的安全手段时却是一个很有用的工具。
如果想了解更多信息,下面是一段Ed谈论PHPSecInfo的小采访的链接,还有另外一个链接,是最新发布的0.2版本的通告。
http://devzone.zend.com/node/view/id/1099
http://devzone.zend.com/node/view/id/1735
像所有安全措施一样,(PHPSecInfo) 就其本身,并非银弹(见建议#1的译注 ),但是适当使用,将会成为综合解决方案的一部分。
------------------------------------------------------------------------------
PHP Security Tip #14
Cal Evans (editor) | 2 comments | Wednesday, March 21, 2007
Almost any application running PHP on the back-end uses web technologies for it’s front end. Many developers who think hard on PHP security, don’t spend a thought on front-end security for their application. Here’s a tip to think long and hard about when building your HTML and JavaScript.
Any data inside of a cookie can be potentially seen by others- restrict to a minimum
It’s a sad fact on today’s web but there are bad people out there. They want nothing more than for your application to leak sensitive data so they can exploit it. Make sure you look at the whole picture when evaluating the security of your application. This is very important when looking at what information you persist on the front end.
------------------------------------------------------------------------------
PHP安全建议#14
差不多所有PHP程序都是运行PHP作为后端,使用web技术作为前端,很多开发者对PHP安全思考了很多,却从来没想过它们前端应用的安全。这里的建议是:当你构造HTML和JavaScript时,你应该思考得更长远和深入些。
任何保持在Cookie里面的信息都有可能被其他人所看到——尽量把这些信息控制到最少
今天的web界有一个很悲哀的事实,有些不怀好意的人出没其间,他们只想让你的应用
补充:综合编程 , 安全编程 ,
