PHP安全性 [英] PHP Security
问题描述
我正在开发一个在线应用程序,我需要得到的最后一件事
处理安全性。
这个应用程序非常沉重的表单。业务关键数据将通过表单输入并插入数据库(mysql)。
我已经google了php security从我读过的内容,我应该:
1)通过剥离所有非字母/数字字符来过滤所有表单数据
out,
2)将数据库放在不同的服务器上,
3)使用POST按钮不是GET,
4)关闭全局变量。
5)使用会话进行登录
应该这样做吗?或者我需要更多的预防措施吗?
即使有了这一切,我还能被黑客攻击吗?
谢谢
bob
I am developing an online application and the last thing I need to get
a handle on is security.
This app is very heavy with forms. Business critical data will be
entered via forms and inserted in to a database (mysql).
I''ve google "php security" and from what I''ve read, I should:
1) Filter all form data by stripping all non-alpha/numeric characters
out,
2) Have the database on a different server,
3) Use "POST" not "GET",
4) Turn global variables off.
5) Use sessions for logins
Should this do it? Or do I need more precautions?
Even with all this can I still get hacked?
Thanks
bob
推荐答案
rj *********** @ gmail.com 写道:
我正在开发一个在线应用程序,我需要做的最后一件事
处理是安全。
不是我是专家,但你有这个倒退。安全性应该是第一个,而不是最后一件事。
您的应用程序的安全性已经注定要处于守势:它很难堵塞孔比破坏墙壁更难** b $ b ** **。
纠正这个问题的唯一方法是从头开始重写整个事情。
这是一个不言而喻:任何语言都是如此,而不仅仅是PHP。
这个应用程序非常沉重的表单。业务关键数据将通过表单输入并插入数据库(mysql)。
我已经google了php security。从我读过的内容,我应该:
1)通过剥离所有非字母/数字字符来过滤所有表单数据
2 )将数据库放在不同的服务器上,
3)使用POST不要GET,
4)关闭全局变量。
5)使用会话进行登录
这应该这样做吗?或者我需要更多预防措施?
哦,上帝是的。
您需要验证任何用户输入,这些用户输入是指向初学者的数据库。
仅此一点,如果做得好,应该让你的时间卡摇摇欲坠。
您的应用程序对数据库中的更改有多扎实?你检查
每个查询的回报吗?你可以采取*数百*的预防措施。
任何网页脚本语言都很方便(虽然有些比其他人更方便
)。但是他们会给你很多绳子让自己挂起来。
即使有了这一切,我还能被黑客攻击吗?
I am developing an online application and the last thing I need to get
a handle on is security.
Not that I''m an expert, but you have this backwards. Security should be
the FIRST, not last, thing you thing about.
Your application''s security is already doomed to be on the defensive: it''s
**much** harder to plug holes than it is to bulid walls. The only way to
correct this is to re-write the whole thing from scratch.
This is a truism: it''s true of any language, not just PHP.
This app is very heavy with forms. Business critical data will be
entered via forms and inserted in to a database (mysql).
I''ve google "php security" and from what I''ve read, I should:
1) Filter all form data by stripping all non-alpha/numeric characters
out,
2) Have the database on a different server,
3) Use "POST" not "GET",
4) Turn global variables off.
5) Use sessions for logins
Should this do it? Or do I need more precautions?
Oh, god yes.
You need to validate any user input that''s destined to the DB for starters.
That alone, when done well, should make your timecard shake in its shoes.
How solid is your application against changes in the database? Do you check
the return of every query? There''s *hundreds* of precautions you can take.
Any web scripting language is convenient (although some are more convenient
than others). But they give you a LOT of rope to hang yourself with.
Even with all this can I still get hacked?
鲍勃,没有进攻,但听起来你真的需要学习更多关于
PHP *和*安全的一般情况,如果你想编写声称
安全的应用程序。毫无疑问是一个糟糕的问题,但有些问题表明
的提问者需要回到书本上。
是的。当然,你可以被黑客入侵。即使你做的一切都是正确的,并且
听起来你的手上已经有一个不安全的应用程序,你可能会被黑客攻击。
黑客可以是非常聪明的人。
Bob, no offense, but it sounds like you really need to learn a lot more about
PHP *and* security in general if you want to write applications that claim to
be secure. No question is a bad question, but some questions signal that the
asker needs to go back to the books.
Yes. Absolutely, you can get hacked. Even if you do everything correct, and
it sounds like you already have an insecure application on your hands, you
can get hacked.
Hackers can be *very* smart folk.
安全是我开始之前需要处理的最后一件事。
我还没有开始,直到我确信这个应用程序是合理的安全且我已经尝试过真正的方法来恢复
$我遭到黑客攻击后的b $ b。
如果我不能,我将不会这样做,我将处理crictical busines数据。
我明白这是一场永无止境的战斗,并且没有任何应用程序将会是100%安全的,而且我将不得不经常监视它。
但话说回来,我必须采取合理措施,等待
完美并不合理。问题是什么是合理的?
Security is the last thing I need to get a handle on BEFORE I start.
I have not started yet, and I won''t until I am confident the app is
reasonably secure and that I have tried and true methods to recover
after I am hacked.
I won''t do this if I can''t, I will be handling crictical busines data.
I understand it''s a never ending battle, and that no app will ever be
100% secure, and that I will have to monitor it constantly.
But having said that, I have to take reasonable measures, waiting for
perfection is not well, reasonable. Question is what is reasonable?
从我已经完成的研究,主要是通过谷歌,我有的步骤
From the research I''ve done, mostly via google, the steps I have
概述似乎应该做的最少。
为此,我将添加用户输入的验证并检查
查询的结果。
(我总是检查查询结果,我只是没有提到它。)
如果没有详细介绍,那么
$的确认不多b $ b用户输入除了剥离特殊字符我还可以做,我不会保证邮政编码或电话号码或电子邮件地址或数据是高价的b / b
特色。
我在这个主题上看到的书籍似乎缺乏。书上有什么建议
?
outlined appear to be the least that should be done.
To that I will add validation of user input and checking the results on
queries.
(I always check the results on queries, I just didn''t mention it).
Without about getting in to specifics there is not much validation of
user input I can do besides stripping out special characters, I won''t
be saving zip codes or phone numbers or email address or data that is
highly characterisable.
The books I have seen on the subject appear lacking. Any suggestions
on books?
rj *********** @ gmail.com 写道:
安全是我需要处理BEFORE的最后一件事我开始了。
我还没有开始,直到我确信应用程序相当安全并且我已经尝试过真正的方法来恢复
我被黑了之后。
啊,然后我道歉。我的印象是你已经写了一个关键任务应用程序然后想要确定安全性。对不起
的误会!
我相信你能明白为什么我感到恐惧。 ; *)
如果没有详细说明,除了剥离特殊字符外,我没有太多验证用户输入,我不会保存zip代码或电话号码或电子邮件地址或具有高度特色的数据。
我在这个主题上看到的书籍似乎缺乏。书上有什么建议吗?
Security is the last thing I need to get a handle on BEFORE I start.
I have not started yet, and I won''t until I am confident the app is
reasonably secure and that I have tried and true methods to recover
after I am hacked.
Ahh, then I apologize. I was under the impression that you had already
written a mission critical app and then wanted to tack on security. Sorry
for the misunderstanding!
I''m sure you can see why I was horrified. ;*)
Without about getting in to specifics there is not much validation of
user input I can do besides stripping out special characters, I won''t
be saving zip codes or phone numbers or email address or data that is
highly characterisable.
The books I have seen on the subject appear lacking. Any suggestions
on books?
我所知道的关于PHP安全性和防御性编程的一切我带来了来自其他语言的
我,潜伏在这个新闻组中,花了很多时间
阅读其他人的代码。我发现通过编写良好的代码,
尤其是当程序员足够亲切地回复电子邮件时,是最好的老师。不幸的是,我是自学成才。
但是,似乎有几本关于PHP安全性的书籍:
http:// www .nerdbooks.com / search.php?...%20security%5D
ORA很难出错,但是他们一直在滑倒最近的质量。
我认为所有微软技术都在腐蚀他们的大脑。尽管如此,这本书于2005年出版,令人鼓舞。
我已经翻阅了最佳实践。 Wiley书中的一章。好像
喜欢很多明显的建议(比如像
正确命名变量这样的事情。)我读到的一点点写得很好但是
这本书于2003年出版
祝你的应用好运。我发现输入验证需要很多
。有些人逍遥法外。在撰写正则表达式时非常出色
肯定会有所帮助!
Pete
Everything I know about PHP security and defensive programming I brought with
me from other languages, lurking in this newsgroup, spending a lot of time
reading other peoples'' code. I find pouring through well written code,
especially when the programmer is gracious enough to reply to email, is the
best teacher. I''m self taught, unfortunately.
However, there seems to be books a few books specifically on PHP security:
http://www.nerdbooks.com/search.php?...%20security%5D
It''s hard to go wrong with ORA, but they''ve been slipping in quality lately.
I think all that Microsoft technology is rotting their brain. Nevertheless,
the book is published 2005 which is encouraging.
I''ve thumbed through the "best practices" chapter in the Wiley book. Seems
like a lot of obvious suggestions (like making a big deal about things like
"naming variables correctly".) The little bit I read was well written, but
the book was published 2003
Good luck with your app. I find that input validation requires a lot of
thought. Some people are fast at it. Being excellent at composing regexes
will certainly help!
Pete
这篇关于PHP安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
