Cakephp安全 [英] Cakephp Security

问题描述

我是新的Web应用程序安全。我在Cakephp开发一个应用程序，我的一个朋友告诉我关于跨站点请求伪造（CSRF）和跨站点脚本（XSS）攻击等，不知道还有多少。

I am new to Security of Web apps. I am developing an application in Cakephp and one of my friends told me about the Cross-site request forgery (CSRF) and cross-site scripting (XSS) attacks etc. not sure how many more are there.

我需要一些帮助，了解如何使Cakephp保卫我的网络应用程序对这些。我们是低预算，我们不能聘请安全consulant现在。我们仍在开发应用程式，并计划在月底前发布。所以想要照顾最初的东西，可以帮助我站在没有黑客;）

I need some help in understanding how to make Cakephp defend my web app against these. we are low budget and we cant hire a security consulant as of now. We are still developing the app and plan to release in by the end of the month. so wanna take care of the initial stuff that can help me stand un hacked ;)

推荐答案

没有（和不能）一个工具，你可以部署，然后从来不必再考虑安全。部署'Anti-XSS'hacks如CakePHP的 Sanitize :: clean 将通过阻止有效的输入获得用户的方式，但仍然不一定使应用程序安全。输入过滤攻击最多只是一个模糊处理措施，而不是解决安全漏洞。

There is not (and cannot be) one tool you can deploy and then never have to think about security again. Deploying ‘anti-XSS’ hacks like CakePHP's Sanitize::clean will get in users' way by blocking valid input, whilst still not necessarily making the app secure. Input filtering hacks are at best an obfuscation measure, not a fix for security holes.

为了拥有一个安全的Web应用程序，您必须编写一个安全的Web应用程序向上。这意味着，主要是注意细节，当你把字符串从一个上下文到另一个。特别是：

To have a secure web application, you must write a secure web application, from the ground up. That means, primarily, attention to detail when you are putting strings from one context into another. In particular:

• 任何时候向HTML文本内容或属性值写入字符串，HTML- $ c> htmlspecialchars（）），以避免HTML注入导致XSS。这不仅仅是可能包含攻击的用户输入，它是将纯文本放入HTML的正确方法。

• any time you write a string to HTML text content or attribute value, HTML-escape it (htmlspecialchars()) to avoid HTML-injection leading to XSS. This isn't just a matter of user input that might contain attacks, it's the correct way to put plain text into HTML.

在使用HTML帮助方法的地方，应该在默认情况下处理这些元素的HTML转义（除非你关闭 escape ）;非常不幸的是，CakePHP教程包括将非转义字符串回传到HTML帮助文件之外的HTML的不良做法。

Where you are using HTML helper methods, they should take care of HTML-escaping of those elements by default (unless you turn off escape); it is very unfortunate that the CakePHP tutorial includes the bad practice of echoing unescaped strings into HTML for text outside of HTML helpers.

字符串值，SQL-escape它（使用适合您的数据库的函数，如 mysql_real_escape_string ）。

any time you create SQL queries with string values, SQL-escape it (with an appropriate function for your database such as mysql_real_escape_string).

避免使用用户输入（例如文件上传名称）来命名文件系统上的文件（生成清除唯一ID）或作为 system（）命令的任何部分。

avoid using user input (eg file upload names) to name files on the filesystem (generate clean unique IDs instead) or as any part of a system() command.

包括安全组件，可添加表单提交标记机制，以防止XSRF应用于由CakePHP。

include the Security component to add a form submission token scheme that will prevent XSRF on forms generated by CakePHP.

这篇关于Cakephp安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！