PHP中的服务器端验证。安全系统应该涵盖哪些内容？ [英] Server side validation in PHP. What should be covered for a secure system?

问题描述

最近我一直想知道'我怎样才能让这个更安全'来建立网站。



由于我最近刚刚开始专业地构建网页，我自然而然地面临着让网站更安全的挑战，到目前为止我已经通过PDO准备的语句和参数化查询实践了这一点，但你认为还有什么必要的安全措施？



我目前正在研究验证，一般的想法是使用服务器端和客户端验证，如果有的话可用性。



因此，正如我的问题所述，我只是想知道我应该为服务器端验证做些什么？我已经看过消毒过滤器和字符长度，但我真的很想熟悉这些问题。



谢谢。

Hi,

Recently I have been wondering 'how can I make this more secure' in regards to building websites.

As I have only recently started building webpages professionally, I have naturally been challenged with making sites more secure and I have practiced this so far through PDO prepared statements and parameterised queries, but what else would you consider an essential security measure?

I am currently looking into validation and the general idea is to use both server side and client side validation, for usability if anything.

So as my question states, Im just wondering what I should be doing for the server side validation? I have looked at sanitizing filters and character lengths, but I really want to become well acquainted with these issues.

Thanks.

推荐答案

阅读此 PHP 5表格验证 [ ^ ]以及后面的几个章节。

Read this PHP 5 Form Validation[^] and the few chapters that follow.

几乎所有内容来自客户端。甚至是自动输入的内容，而不是通过UI，这部分由解决方案1覆盖。



所以，我只想强调一点。您可以从各种设置中逻辑绘制其他所有内容。假设您的服务器端获得HTTP请求。它包含URI，带有数据的请求主体，通常是键值对，元数据，特别是客户端信息（客户端IP，浏览器信息），引用者等。当然，您应该明白用户可以手动输入任何URI并在那里注入任何内容。但是HTTP请求的其余部分呢。如果您有一些UI，并且某些控制值直接转到请求，很明显很容易将任何内容注入到请求中。 此外，即使JavaScript验证输入在客户端也可以发送任何内容。



但是什么没有用户界面？记住一次又一次：整个HTTP请求仍然可以伪造。不，最好说：整个HTTP请求可以很容易伪造。不，不仅仅是轻松，非常容易。



假设，可靠地消毒每一个请求。

-SA

Pretty much everything which comes from the client side. Even what is entered automatically, not via UI, which is partially covered by Solution 1.

So, I want to emphasize only one point. Everything else you can logically draw from each kind of settings. Let's say, your server side get HTTP request. It contains URI, body of the request with data, normally in key-value pairs, metadata, in particular, client information (client IP, browser information), referrer, and so on. Of course it should be apparent to you that the user can enter any URI manually and inject anything there. But how about the rest of HTTP request. If you have some UI, and some of the control values go directly to the request, it's apparent that it is easy to inject anything into request. Moreover, anything can be sent even of JavaScript validates input on client side.

But what is there is no UI? Remember once and forever: the whole HTTP request still can be forged. No, it's better to say: the whole HTTP request can easily be forged. No, not just easily, very easily.

Assuming that, sanitize every request reliably.

—SA

这篇关于PHP中的服务器端验证。安全系统应该涵盖哪些内容？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！