Ô­Îijö´¦£ºhttp://devzone.zend.com/article/1767-PHP-Security-Tip-5
·­Ò룺linyupark@w3pop.com

PHP security is an ongoing mission requiring the programmer to think outside of the parameters of the application. It’s not enough these days to say in your mind “Does this do what I want it to do?” you also have to take into consideration “What else can people use it for and do I want to allow that?” Today’s Security tip is a proverb that all programmers should have to recite daily.

PHPµÄ°²È«ÐÔÊÇÒ»¸ö½øÐÐÖеÄÈÎÎñ£¬ÐèÒª³ÌÐòԱȥ¿¼ÂdzÌÐòÍâÃæµÄÒòËØ¡£ÏÖÔÚÄÔ×ÓÀï¹â˵×Å“ÕâÊÇ·ñÒѾ­×öµ½ÎÒÒªËü×öµÄ£¿”ÒѾ­Ô¶Ô¶²»¹»ÁË¡£Ä㻹µÃ½øÒ»²½Ë¼¿¼“ÈËÃÇÓÃËü»¹ÄܸÉЩʲô£¬ÎÒÊÇ·ñÔÊÐíËûÃÇÕâô×ö£¿”½ñÌìµÄ°²È«¼¼ÇɾÍÊÇÒ»¶ÎËùÓгÌÐòԱÿÌ춼ÐèÒª±³ËеÄÑèÓï¡£

Never trust the user.
ÓÀÔ¶²»ÒªÏàÐÅÓû§

It’s a sad fact of life but users are evil. Users want nothing more than to find a way to exploit your application. As soon as you let your guard down and start thinking “I’m only selling small stuffed animals so how evil can my users really be?” you’ve lost the battle.

ÕâÊǸö±¯°§µÄµ«ÓÖÎÞ·¨¸Ä±äµÄÊÂʵ£¬ÓÐЩÓû§ÊÇа¶ñµÄ¡£Óû§ÎÞ·ÇÊÇÏëÕÒµ½Ò»¸ö·½·¨À´“¿ªÍØ”ÄãµÄ³ÌÐòÓ¦Óá£Ò»µ©Äã·ÅËɾ¯Ìè²¢¿ªÊ¼Ïë“ÎÒÖ»ÊÇÂôÂôÄÇЩι±¥Á˵ÄС¶¯ÎÎÒµÄÓû§»áа¶ñµ½ÄÄÀïÈ¥ÄØ£¿”ÄÇÄãÒѾ­ÔÚÕ½¶·ÖаÜÏÂÕóÀ´

Ok, maybe it’s not quite that dire but you do have to keep a wary eye on some of your users. That’s where the second proverb that all programmers should recite daily comes in.

ºÃÁË£¬»òÐíÕâ²»ÊÇÄÇô¿Éŵ«Ä㻹ÊDZØÐëʱ¿Ì¶ÔÄãµÄÓû§±£³Ö¾¯Ìè¡£
Õâ¾ÍÊÇËùÓгÌÐòÔ±µÚ¶þ¾ä±ØÐëÿÌì±³ËеÄÑèÓï

Filter Input, Escape Output [FIEO]
¹ýÂËÊäÈëÐÅÏ¢£¬¶ÔÊä³öµÄÐÅÏ¢½øÐÐת»»

Yes, FIEO (ok, it’s not as cool sounding as GIGO) is one of the mantras that all security minded programmers have live by.

Êǵģ¬FIEO(ºÃÁ˺ÃÁË£¬ËäÈ»Õâ¸öûÓÐÏñGIGOÌýÉÏÈ¥ÄÇô¿á)Õâ¾ÍÊÇËùÓдøÓа²È«Òâʶ³ÌÐòÔ±µÄÀµÒÔÉú´æµÄ¿Ú¾÷¡£

PHP °²È«¼¼ÇÉÁ¬ÔØ #4[Òë] PHP °²È«¼¼ÇÉÁ¬ÔØ #6[Òë]

ÆÀÂÛ (0) All