w3pop.com :: ÍøÂçѧԺ :: PHP :: PHP °²È«¼¼ÇÉÁ¬ÔØ #8[Òë]
- PHP
- php ÎÞÏÞ·ÖÀàµÄʵ..
- ³£ÓÃPHP´úÂë
- windowsÏ°²×°ÅäÖ..
- MySQLÊý¾Ý¿â½á¹¹º..
- PHPʵÏÖ IP Whois..
- PHP5 this,selfºÍ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- PHP error_report..
- PHP °²È«¼¼ÇÉÁ¬ÔØ..
- ʹÓÃPHP×öLinux/U..
PHP °²È«¼¼ÇÉÁ¬ÔØ #8[Òë]
×÷Õß:Cal Evans ·Òë/ÕûÀí:w3pop.com ·¢²¼:2007-07-25 ä¯ÀÀ:2832 ::
::
ÔÎijö´¦£ºhttp://devzone.zend.com/article/1793-PHP-Security-Tip-8
·Ò룺linyupark@w3pop.com
Withing PHP security topics, there is always more than one way to accomplish a task. Many times it's by combining tactics that we achieve the best security. We've already talked about filtering but beyond filtering we still need to be vigilant and validate input coming in from a user. This brings us to our PHP security of the day.
ÔÚPHP°²È«ÐÔÕâ¸ö»°ÌâÉÏ£¬×ܹéÓжàÖÖ·½·¨À´Íê³Éij¸öÈÎÎñ¡£Ðí¶àʱºòµ½´ïµ½×îºÃµÄ°²È«Ð§¹ûÐèҪͨ¹ý¶à½áºÏÐԵIJßÂÔ¡£ÎÒÃÇÒѾ̸µ½ÁËÓйعýÂ˵Ļ°Ì⵫³ýÁ˹ýÂËÎÒÃÇ»¹ÐèÒª¾¯Ìè²¢ÒªÑéÖ¤À´×ÔÓû§ÊäÈëµÄÐÅÏ¢¡£½ñÌìµÄPHP°²È«ÓÉ´ËÕ¹¿ª¡£
Always validate user input.
ʼÖÕÒª¼ìÑéÓû§µÄÊäÈëÐÅÏ¢
Take for example the following code:
ÒÔÏÂÃæµÄ´úÂë×öΪ¾ÙÀý£º
<?php
$myFile = filter_var($_GET['file'], FILTER_SANITIZE_STRING);
include($myFile);
?>
Calling http://example.com/file.php?file=home.php will cause your script to include the file home.php in your current directory. However, if someone comes along and requests http://example.com/file.php?file=badcode.php you will be potentially exposing yourself to executing their code, or your code that you do not want executed in that context.
µ÷Óà http://example.com/file.php?file=home.php ½«»áµ¼ÖÂÄãµÄ½Å±¾È¥°üº¬µ±Ç°Ä¿Â¼ÖеÄÎļþhome.php¡£Èç¹ûijÈËÇëÇóÁË http://example.com/file.php?file=badcode.php ÄÇÄ㽫ÓÐDZÔڵĿÉÄÜÐÔ»áÈ¥Ö´ÐÐËûÃǵĽű¾£¬»òÊÇÖ´ÐÐÄãµÄ´úÂëÖв»ÏëÖ´ÐеÄÄÇÒ»²¿·Ö¡£
Do not depend solely on file_exists(). Just because it's a local file does not mean that it's a valid file or even that it's your file. Don't give hackers an easy easy to execute their code on your server.
²»Òªµ¥¶ÀÒÀ¿¿file_exists()º¯Êý¡£ÒòΪÕâ½ö½öΪ±¾µØÎļþ¶ø²¢²»Òâζ×ÅÕâÊǸöÓÐЧµÄÎļþÉõÖÁÕâÊÇ·ñΪÄãµÄÎļþ£¨¶¼²»µÃ¶øÖª£©¡£²»Òª¸øºÚ¿ÍÈκμòµ¥µÄ·½·¨ÔÚÄãµÄ·þÎñÆ÷ÉÏÖ´ÐÐËûÃǵĴúÂë¡£
To protect against this, always filter and validate:
Òª×èÖ¹ÕâЩ£¬¾ÍҪʼÖÕ¶ÔÐÅÏ¢½øÐйýÂ˺ͼìÑé
<?php
// filter
$myFile = filter_var($_GET['file'], FILTER_SANITIZE_STRING);
// Then validate
$valid = array('home.php', 'about.php');
If (!in_array($myFile, $valid)) {
die('Leave, evil hacker');
}
include($myFile);
?>
ÆÀÂÛ (0)
All
