我应该在PHP中注意哪些安全问题 [英] What security issues should I look out for in PHP

问题描述

我刚开始学习PHP，很长时间以来我一直在ASP.Net中开发Web应用程序.我想知道是否应该寻找任何特定于PHP的安全性错误.

I just starting out learning PHP, I've been developing web apps in ASP.Net for a long time. I was wondering if there are any PHP specific security mistakes that I should be looking out for.

所以，我的问题是每个PHP开发人员应该知道的最重要的安全提示是什么?

So, my question is what are the top security tips that every PHP developer should know?

请在每个答案中给每个提示一个提示，以便人们可以有效地上下投票.

Please keep it to one tip per answer so people can vote up/down effectively.

推荐答案

(无特定顺序)

1. 始终检查注册全局变量是否已关闭
2. 始终检查魔术引号已关闭
3. 确保您了解 SQL注入攻击
4. 在生产中关闭错误报告

1. Always check that register globals are OFF
2. Always check that magic quotes are OFF
3. Make sure you understand SQL injection attacks
4. Turn OFF error reporting in production

编辑:对于其中的新手"，这是一个基本的原因(并且由于我有时间对此进行解释):

For the "newbies" out there this is a basic why (and since I have time to explain this):

1. 注册全局变量是一种异常.这是有史以来的终极安全漏洞.例如，如果register_globals处于打开状态，则URL http://www.yourdomain.com/foo.php?isAdmin = 1 会将$ isAdmin声明为全局变量，而无需代码.我不知道为什么这个功能"成为了PHP的代名词，但背后的人的额头上应该有以下纹身:我发明了PHP Register Globals"，以便我们在逃离时像虫子一样逃离看到他们！

1. Register globals is an aberration. It's the ultimate security hole ever. For example, if register_globals is on, the url http://www.yourdomain.com/foo.php?isAdmin=1 will declare $isAdmin as a global variable with no code required. I don't know why this "feature" has made it's way to PHP, but the people behind this should have the following tattooed on their forehead: "I invented PHP Register Globals" so we can flee them like pest when we see them!

魔术引号是另一个愚蠢的想法，它已经成为PHP的一种方式.基本上，当启用PHP时，PHP会自动转义引号(变为\"和变为\")以帮助进行SQL注入攻击.这个概念不错(有助于避免注入攻击)，但是转义 all 的GET，POST和COOKIE值会使您的代码变得如此复杂(例如，每次显示和数据时都必须转义).另外，如果有一天您在不对代码进行任何更改的情况下将此设置关闭了，则所有代码和/或数据都将损坏，并且(甚至更多)容易受到注入攻击(即使在打开时也很脆弱).

Magic quotes is another dumb idea that has made it's way to PHP. Basically, when ON PHP will escape quotes automatically (' become \' and " become \") to help with SQL injection attacks. The concept is not bad (help avoid injection attacks), but escaping all GET, POST and COOKIE values make your code so much complex (for example, have to unescape everytime when displaying and data). Plus if one day you switch this setting OFF without doing any change to your code, all your code and/or data is broken and (even more) vulnerable to injection attacks (yes even when ON you are vulnerable).

您的数据库数据是您网站上最有价值的数据.您不希望人们对此感到困惑，因此请保护自己并牢记这一点并和阅读相关内容.

Your databse data is your most valuable thing on your site. You don't want people to mess with it, so protect yourself and read things about it and code with this in mind.

同样，这可能会导致安全问题.该错误消息可以为黑客提供有关代码工作方式的提示.而且这些消息对您的访问者没有任何意义，为什么要显示它们?

Again this can lead to security concerns. The error message can give hints to hackes on how your code works. Also these messages don't mean anything to your visitors, so why show them?

这篇关于我应该在PHP中注意哪些安全问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！