w3pop.com :: ÍøÂçѧԺ :: PHP :: PHP °²È«¼¼ÇÉÁ¬ÔØ #11[Òë]
- PHP
- php ÎÞÏÞ·ÖÀàµÄʵ..
- ³£ÓÃPHP´úÂë
- windowsÏ°²×°ÅäÖ..
- MySQLÊý¾Ý¿â½á¹¹º..
- PHPʵÏÖ IP Whois..
- PHP5 this,selfºÍ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP error_report..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- ʹÓÃPHP×öLinux/U..
PHP °²È«¼¼ÇÉÁ¬ÔØ #11[Òë]
×÷Õß:Cal Evans ·Òë/ÕûÀí:w3pop.com ·¢²¼:2007-07-27 ä¯ÀÀ:2482 ::
::
ÔÎijö´¦£ºhttp://devzone.zend.com/article/1817-PHP-Security-Tip-11
·Ò룺linyupark@w3pop.com
I think we can all agree that users are at once the boon and the bane of our applications. On the one hand, if it weren’t for users, we wouldn’t have security problems. On the other hand, if we didn’t have users, we wouldn’t need the application to begin with. So we can all agree with the fact that in most cases, users aren’t going away. This means that we have to factor them into our security mind-set. One good principal to adopt is:
ÎÒÏë´ó¼Ò¶¼Í¬ÒâÕâµã£¬Óû§ÊÇÎÒÃdzÌÐòµÄÊÜÒæÕßÒ²ÊÇΣº¦Õß¡£ÔÚij·½Ãæ¿ÉÒÔÕâô˵£¬Èç¹ûûÓÐÓû§£¬ÄÇôÎÒÃDz»»áÓöµ½°²È«ÎÊÌâ¡£ÁíÒ»·½Ã棬Èç¹ûÎÒÃÇûÓÐÓû§£¬ÄÇÎÒÃÇÆð³õÒ²²»ÐèÒª¸ãÓ¦ÓóÌÐòÁË¡£Òò´ËÎÒÃǾͿÉÒÔÔÚ¾ø´ó¶àÊýÇé¿öϳÐÈÏÕâ¸öÊÂʵ£¬Óû§²»»áÏûʧ¡£ÕâÒâζ×ÅÎÒÃDZØÐ뿼Âǵ½ÎÒÃǵݲȫ˼ά¶¨ÊÆ¡£Ò»¸öÓÐЧµÄÔÔò(·½·¨)ÊDzÉÓãº
The Principle of Least Privileges
×îСȨÏÞÔÔò
Grant permissions to users only to the level needed
Ö»ÊÚÓèÓû§ËûÃÇËùÐèÒªµÄÐí¿ÉȨ
This is a basic programming principal and can be seen most readily in Unix security. When dealing with users and resources in Unix, users have to be explicitly granted access to resources. Permissions are granted in such a way as to give the user the least permission necessary to gain access to the resource. We can adopt this concept when building our applications by considering carefully the users who will need to access each page and feature.
ÕâÊÇ×î»ù´¡µÄ³ÌÐòÉè¼ÆÔÔò£¬¶øÇÒÔÚUnix °²È«ÐÔÖпÉÒԷdz£ÈÝÒ׵ļûµ½(ÒëÕß×¢£ºUnixϵͳ¿ÉÒÔΪÿ¸ö²»Í¬µÄϵͳÓû§·ÖÅäȨÏÞ)¡£ÔÚUnixÖÐÒª´¦ÀíÓû§ÒÔ¼°×ÊÔ´µÄʱºò¶¼ÐèÒªÓÐÃ÷È·µÄ·ÃÎÊÐí¿ÉȨ¡£ÔÚ·ÖÅäÐí¿ÉȨʱ¾Í×öµ½Ö»¸øÓû§ÔÚ·ÃÎÊÐèÒªµÄ×ÊԴʱËùÐèÒªÐí¿ÉȨ¡£ÔÚ½¨Á¢ÎÒÃǵÄÓ¦ÓóÌÐòʱ¾Í¿ÉÒÔ²ÉÓÃÕâ¸ö¸ÅÄ¿¼ÂÇÓû§½«ÐèÒª»ñµÃÿ¸öÒ³ºÍרÀ¸¡£
Most modern PHP frameworks have the concepts or authentication and access control. In the Zend Framework, authentication is handled by Zend_Auth but access control, a separate issue, is handled with Zend_Acl
×îÁ÷ÐеÄPHP¿ò¼ÜÓµÓÐÁËÔÚ·ÃÎÊ¿ØÖÆÆ÷ʱµÄÉí·ÝÑéÖ¤¸ÅÄî¡£ÔÚZend FrameworkÀÑéÖ¤ÓÉZend_Auth ½øÐд¦Àí£¬³ý´ËÖ®Í⻹¿ÉÓÉ Zend_Acl ´¦Àí¿ØÖÆÆ÷µÄ·ÃÎÊ
Whichever framework you use, good security practices suggest that you carefully consider the access restrictions you place on each page or feature. Whenever possible, limit access to the fewest number of users possible.
²»ÂÛÄãʹÓõÄÊÇÄĸö¿ò¼Ü£¬³öÓÚÁ¼ºÃµÄ°²È«¿¼ÂÇ£¬½¨ÒéÄãÔÚÿ¸öÒ³ÃæºÍרÀ¸Àﶼ¼ÓÉÏ·ÃÎʵÄÏÞÖÆ¡£Ö»ÒªÓпÉÄܾ¡Á¿¼õÉÙ¶ÔÓÚÓû§·ÃÎʵÄÏÞÖÆ£¨ÔÚ²»Ó°Ï찲ȫµÄÇé¿öÏ£©
ÆÀÂÛ (0)
All
