PHP安全性问题? [英] PHP security question?

问题描述

我只是想知道在创建接受文章的网页时应该使用哪些基本的PHP安全技术?

I just wanted to know what are some basic PHP security techniques I should use when creating a web page that accepts articles?

我对PHP还是很陌生，想知道在成为安全专家之前会导致什么失败?

I'm fairly new to PHP and was wondering what will hold the fort down until I'm a security expert?

推荐答案

在接受用户生成的文本(稍后显示)时，有两个方面需要考虑.

There are two fronts to consider when accepting user-generated text that will later be displayed.

首先，您需要保护数据库免受注入攻击.为此，有一个简单的PHP函数: mysql_real_escape_string()通常足以保护您的数据库免于注入该字符串时存储为字段值.

First off, you need to protect your database from injection attacks. There's a simple PHP function for this: mysql_real_escape_string() will usually suffice to protect your database from injection when passing this string in to store as a field value.

从那里开始，您必须小心显示，因为被允许上传HTML代码的用户在显示该代码时，可能会对其他用户进行令人讨厌的事情.如果您要撰写纯文本文章，则可以简单地 htmlspecialchars()结果文本. (您可能还希望将换行符转换为
标记.)如果您使用的是格式设置解决方案(例如本网站上使用的Markdown引擎)，则这些解决方案通常会根据引擎的功能提供HTML清理功能，但请务必阅读文档并确定.

From there, you have to be careful about your display, as a user who is allowed to upload HTML code can do nasty things to other users when that code gets displayed. If you're doing plaintext articles, you can simply htmlspecialchars() the resulting text. (you'll also probably want to convert newlines to
tags.) If you're using a formatting solution, such as the Markdown engine used on this site, those solutions will usually provide HTML sanitization as a function of the engine, but be sure to read the documentation and make sure.

哦，请确保您还正在验证用于提交文章的GET/POST变量.不用说，执行的验证将需要针对您的网站使用其逻辑所做的定制.

Oh, make sure you're also verifying your GET/POST variables used to submit the articles. That goes without saying, and the verification performed is going to need to be tailored to what your site is doing with its logic.

这篇关于PHP安全性问题?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！