确保初学者的PHP表单安全吗?资源? [英] Securing PHP forms for beginners? Resources?
问题描述
我成功构建了第一个html/PHP表单,该表单使用_POST全局变量在多个页面之间传递变量,然后使用mail()函数通过电子邮件将结果发送给我.
I successfully built my first html/PHP form that passes variables between multiple pages using the _POST global variable and then emails me the results using the mail() function.
我敢肯定,这种形式现在已经不安全了,并且容易受到各种漏洞的攻击,而且我想知道如何弥补漏洞,但是我是PHP的初学者.
I'm sure this form is incredibly insecure as it is now and vulnerable to all matter of exploits and I want to know how to patch up the holes, however I'm pretty much a beginner to PHP.
您能推荐一些简单易懂的教程来保护PHP表单吗?
Can you recommend any simple-to-follow tutorials for securing PHP forms?
推荐答案
保护代码时,您需要做的第一,第二和第三件最重要的事情是假定代码处理的所有数据都以某种方式窃取了您的数据,并且破坏您的服务器.甚至您亲自将数据硬编码到脚本中! :P
The first, second and third most important thing you need to do when securing your code is to assume ALL data your code handles is somehow meant to steal your data and sabotage your server. Even data you have personally hard-coded into the scripts! :P
在使用每个数据之前,请确保它们均经过验证.使用 intval 和
Make sure every piece of data is validated and verified before you use it. Use the intval and floatval functions to verify numbers, regular expressions to verify text fields (usernames, passwords, etc...), and always try to use Parameterized Statements when doing SQL queries.
并使用户输入完全远离include和shell命令.如果您需要根据使用输入来执行include和shell命令,请在实际用户输入上使用switch和/或if语句,并基于它们执行静态命令.如果那也不起作用;在使用之前,非常彻底地验证,验证和清除输入信息……然后用手指指望所有好的开发者都在寻找另一种方式:)
And keep user input away from includes and shell commands altogether. If you need to do includes and shell commands based on use input, use switch and/or if statements on the actual user input and execute static commands based on them. And if that doesn't work either; validate, verify and sanitize the input extremely thoroughly before using it... then cross your fingers and hope all the good exploiters are looking the other way :)
最重要的是;非常非常非常偏执.人们渴望得到您! :)
Most importantly; be very very very paranoid. People ARE out to get you! :)
...然后让自己成为一个轻松的爱好,这样就不会发疯了xD
... then find yourself a relaxing hobby, so you don't go crazy xD
这篇关于确保初学者的PHP表单安全吗?资源?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
