使 php web 应用程序安全 [英] making php web application secure
问题描述
为了保护我的项目免受攻击(例如:SQL 注入),我使用以下查询参数页(*.php?query=value) :
to protect my project from attacks (example: SQL injection) im using the below for query parameter pages(*.php?query=value) :
$id=strip_tags($id);
$id=mysql_real_escape_string($id);
if(is_numeric($id) && strlen($id)<=3) //id are numbers maximum of 3 digits
- 除此之外,我还使用客户端(JavaScript)&服务器端(php)验证,
strip_tags()根据需要过滤数据. - 密码使用
bcrypt() 加密 - 所有消息都使用
mcrypt_ecb() 加密 - 页面只能在
isset($_SESSION["id"])即登录后访问. error_reporting(0);隐藏错误.$_POST而不是$_REQUESTmysql_real_escape_string();对于每个输入- Apart from this im using client(JavaScript) & server side(php) validations,
strip_tags()to filter data as required. - Passwords are encrypted using
bcrypt() - All messages are encrypted using
mcrypt_ecb() - Pages can only be accessed when
isset($_SESSION["id"])ie logged in. error_reporting(0);to hide errors.$_POSTinstead of$_REQUESTmysql_real_escape_string();for every input- http://www.acunetix.com/websitesecurity/php-security-1/
- PHP 会话安全
- 可利用的 PHP 函数
- 净化用户输入的最佳方法是什么PHP?
- https://stackoverflow.com/questions/325862/what-are-the-most-common-security-mistakes-programmers-make
- 我应该了解哪些常见的网络漏洞?
- Yii
- CakePHP
- Zend
- Symfony
- Kohana (highly recommended)
实际上我的项目将被大学使用,我对安全性感到紧张,因为回溯很容易渗透,所以我努力使其安全.(我知道这是一个很大的问题,但任何形式的帮助都会非常有用)但作为一名学生,我想知道我还缺少什么才能使其安全?
actually my project will be used by college and im tensed about the security because backtrack makes it easy to penetrate, so im trying hard to make it safe. (i know it's a vast question, but any kind of help will be very useful) but as a student i want to know what else im missing to make it safe ?
推荐答案
首先:
在非常非常少或PDO 代替.MySQLi,尤其是 PDO 函数,在安全方面更好. 但是,在这两者中,PDO 是最好的选择,因为它们通过准备好的语句为您提供更高的抽象,这大大增加了您的防御 SQL 注入攻击:
Use PHP's MySQLi functions instead at the very, very minimum or PDO instead. MySQLi and especially PDO functions, are better security-wise. But, of the two, PDOs are the best deal as they offer you higher abstraction with prepared statements which greatly increases your defense against SQL injection attacks:
PHP 应用程序中的大多数 SQL 语句使用变量输入来判断 SQL 语句的结果.通过用户提供安全输入到 SQL 语句,使用参数准备语句标记 (?) 或代表变量输入的命名变量.什么时候你执行准备好的语句,你将输入值绑定到参数标记.数据库引擎确保每个输入值被视为单个参数,防止 SQL 注入攻击反对你的申请.与通过发布的声明相比PDO::exec(),准备好的语句提供了性能优势,因为数据库管理系统为每个人创建一个访问计划准备好的语句,如果重新发出语句,它可以重用随后.
Most SQL statements in PHP applications use variable input to determine the results of the SQL statement. To pass user-supplied input to an SQL statement safely, prepare a statement using parameter markers (?) or named variables representing the variable input. When you execute the prepared statement, you bind input values to the parameter markers. The database engine ensures that each input value is treated as a single parameter, preventing SQL injection attacks against your application. Compared to statements issued through PDO::exec(), prepared statements offer a performance advantage because the database management system creates an access plan for each prepared statement that it can reuse if the statement is reissued subsequently.
另外,避免使用一些旧的折旧 PHP 函数.
Also, avoid using some of the older depreciated PHP functions.
接下来,一般来说,如果您使用 PHP 或任何创建动态请求的语言,这意味着用户在某种程度上的输入,并且通常是与数据库的后续交互.网络编程的规则 1:在任何情况下永远不要相信用户输入. 输入的所有内容都必须经过清理和验证,以避免出现安全问题.您可以使用 PHP 本地完成此操作,但老实说,这需要大量工作和对细节的大量关注 - 当然,这会延长您的开发时间.
Next, generally, if you're using PHP or any language that creates dynamic requests, that implies user input on some level, and most oftentimes, a subsequent interaction with the database. Rule 1 of web programming: never, ever under under any circumstances trust user input. At all. Everything entered must be cleaned, validated to avoid security problems. You can do this natively with PHP, but honestly it takes a lot of work and a lot of attention to detail - which of course, expands your development time.
如果这不是学术练习或自我训练 - 如果可以,请尝试使用框架 - 它可能会在以后为您省去很多麻烦,因为好的框架可以照顾一些处理转义、验证等的开销.这意味着,如果你去突击队并在没有框架的情况下编写自己的代码:大多数(如果不是全部)你将实现的功能都会为你完成,而且很有可能 - 在框架中做得更好.
If this is not an academic exercise or one dealing with self-training - try to use a framework if you can - it potentially can save you many headaches later down the road as good frameworks can take care of some of the overhead of dealing with escapes, validation and the like. What that means is that if you go commando and write your own code with no framework: most, if not all of the functionality you'll be implementing would be done for you and chances are - done better in a framework.
此外,它们使 PHP 开发更容易,并且偶尔,有趣.当然,并非所有框架都生而平等,所有框架也都有安全问题.但是,这是您必须牢记的事情,并始终虔诚地让自己了解情况.
Plus, they make PHP development easier, and occasionally, fun. Of course, not all frameworks are created equal, and all frameworks have security issues, too. But, this is something you will have to keep in mind and keep yourself informed at all times, religiously.
如果这是一项学术练习或自学练习,请阅读:
If this is an academic exercise, or a self-learning one, read this:
许多顶级 StackOverflow PHP 帖子和 Programmers.StackExchange 帖子可以为您的旅程提供帮助.
A lot of the top StackOverflow PHP posts and Programmers.StackExchange posts can help you with your journey.
以下是一些开始:
(这个更多的是对这些链接中大多数讨论内容的概述)
(This one's more of an overview of what most of these links discuss)
阅读您所在领域的安全实践.它在不断发展.
如果您对框架感兴趣,这里有一些受欢迎的框架可以激发您的兴趣:
If you're interested in frameworks, here are a few of the popular ones to pique your interest:
但是,不管怎样 - 祝你好运!
But, either way - good luck!
这篇关于使 php web 应用程序安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
