w3pop.com :: ÍøÂçѧԺ :: PHP :: PHP °²È«¼¼ÇÉÁ¬ÔØ #12
- PHP
- php ÎÞÏÞ·ÖÀàµÄʵ..
- ³£ÓÃPHP´úÂë
- windowsÏ°²×°ÅäÖ..
- MySQLÊý¾Ý¿â½á¹¹º..
- PHPʵÏÖ IP Whois..
- PHP5 this,selfºÍ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP error_report..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- ʹÓÃPHP×öLinux/U..
PHP °²È«¼¼ÇÉÁ¬ÔØ #12
×÷Õß:Cal Evans ·Òë/ÕûÀí:w3pop.com ·¢²¼:2007-08-13 ä¯ÀÀ:2403 ::
::
ÔÎÄ£ºhttp://devzone.zend.com/article/1821-PHP-Security-Tip-12
We’ve talked about filtering, we’ve talked about validating, we’ve talked about filtering again. Filtering inputs into your application is an important concept and the pre-cursor to many good security practices. However, once you have the input filtered and validated you can’t simply sit back and relax. You have to stay vigilant when programming to ensure security throughout your application.
ÎÒÃÇÔø¾Ì¸µ½Á˹ØÓÚ¹ýÂË£¬ÎÒÃÇ»¹Ì¸µ½ÁËÓйØУÑ飬ÎÒÃÇÓÖÒªÌÖÂÛÓйعýÂ˵Ļ°ÌâÁË¡£ÔÚÍùÄãµÄ³ÌÐòÀï¼ÓÈë¹ýÂ˺óµÄÐÅÏ¢ÊÇÒ»¸ö·Ç³£ÖØÒªµÄ¸ÅÄ¶øÇÒÕâÊÇÐí ¶àºÃµÄ°²È«²ßÂÔµÄÇ°×ࡣȻ¶ø¼´±ãÄãÒѾ¶ÔÊäÈëµÄÐÅÏ¢½øÐÐÁ˹ýÂËÒÔ¼°Ð£Ñ黹ÊDz»¿ÉÒԾʹ˷ÅËÉ£¬Äã±ØÐë±£³Ö¾¯ÌèÈ·±£ÄãµÄ³ÌÐòÔÚÔËÐйý³ÌÖÐÊÇ°²È«µÄ¡£
Filtering input gives some developers a false sense of security. They assume that since they;ve filtered the input, there’s no reason to worry. That may be true in some simple instances but in most complex applications, you have to constantly be aware of what you are using the input for. This is never more true than when using user input in the eval() command. That brings us to today’s tip:
ÊäÈëÐÅÏ¢µÄ¹ýÂËÓÐʱºò»á¸ø¿ª·¢ÈËÔ±´íÎóµÄ°²È«¸Ð¡£ÒòΪËûÃÇΪÊäÈëµÄÐÅÏ¢½øÐÐÁ˹ýÂ˶ø¼ÙÉèËüÊÇ°²È«µÄ£¬ËùÒÔû±ØÒªµ£ÐÄ¡£ÔÚһЩ¼òµ¥µÄÒªÇóÏÂÕâ»òÐíÊÇÕý È·µÄ£¬µ«ÔÚ¸´ÔӵijÌÐòÃæÇ°£¬Äã¾Í±ØÐë²»¶ÏµÄ²ì¾õµ½×Ô¼ºËùʹÓõÄÊäÈëÐÅÏ¢¡£µ±Ê¹ÓÃÁËÔÚeval()ÃüÁîÖеÄÓû§ÊäÈëÐÅÏ¢Õ⽫²»ÔÙÊÇÕýÈ·µÄ¡£
Think carefully before using eval()
ÔÚʹÓÃeval()Ç°½øÐÐ×ÐϸµÄ¿¼ÂÇ
By using user-inputted values in an eval(), you are potentially giving a malicious user a gateway to your server. Even if your interface forces them to chose only predefined options, the call to your script can be spoofed and your script can potentially be used to execute commands on demand by people who want to do bad things.
ÔÚʹÓÃeval()ÄÚµÄÓû§ÊäÈëÐÅϢʱ£¬ÄãÕýÔÚ¸øÄÇЩÀ´Òâ²»ÉƵÄÓû§Ò»¸ö½øÈëÄã·þÎñÆ÷µÄÈë¿Ú¡£¼´±ãÄãµÄ½çÃæÇ¿ÖÆËûÃÇÖ»ÄÜÑ¡ÔñÔ¤Ïȹ涨ºÃµÄÑ¡Ñ¡Ï»¹ÊÇ¿ÉÒÔÆÛÆÄãËùµ÷ÓõĽű¾ÒÔ¼°ÄãÄÇЩDZÔڵĿÉÓÃÀ´Ö´ÐÐÄÇЩÏë×ö»µÊµļһïÏëÒªµÄÃüÁî¡£
Use eval() sparingly. When you do have to use it, make sure you filter and then validate the input. If there are other ways to accomplish the task then consider using them instead.
½÷É÷µÄʹÓÃeval() º¯Êý£¬µ±Äã±ØÐëµÃʹÓÃËüµÄʱºò£¬ÒªÈ·±£ÄãÓжÔÊäÈëÐÅÏ¢µÄ¹ýÂËÒÔ¼°ºóÃæµÄУÑé¹ý³Ì ¡£Èç¹ûÓÐÆäËû·½·¨¿ÉÒÔÍê³ÉͬÑùµÄЧ¹û£¬ÄǾÍʹÓÃËüÃÇÀ´Ìæ´úeval()¡£
ÆÀÂÛ (0)
All
