[翻译]PHP安全小建议( 下)
可能被进行了欺骗(spoofed)。你的脚本可能潜在地被利用来执行他们的请求命令,以此进行一些不良行为的。
谨慎地使用eval() ,当你必须使用它时,务必对用户输入经过过滤和验证处理。如果还有其他方法完成相同的任务,那么应该考虑用它们来代替。 ------------------------------------------------------------------------------ PHP Security Tip #13 Cal Evans (editor) | 4 comments | Tuesday, March 20, 2007 Security is a mindset, not just something you do. It colors your application design as well as your coding. However, you also need to constantly monitor your production environment. That’s where selecting the right tool comes into play. I know I’ve mentioned PHPSecInfo before but I think this tool is important enough to warrant it’s own post. PHPSecInfo is a great tool to use to keep an eye on your production environment. It was written by Ed Finkler of CERIAS, the Center for Education and Research in Information Assurance and Security at Purdue University. It is officially a project of the PHP Security Consortium. Here’s what the PHPSecInfo homepage has to say about itself. PHPSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach. If you need more info, here’s the link to a short interview with Ed talking about PHPSecInfo. Here is another link to the latest release notice for version 0.2. As with all security measures, by itself it’s not the silver bullet. Used properly though, it can be part of a comprehensive solution. ------------------------------------------------------------------------------ PHP安全建议#13 安全是一种思想,而不只是一些你要做的事情,它会令应用程序的设计和编码增色(colors)不少。然而你还需要不断地监控生产环境,这是选择正确的工具投入工作的地方。我以前提到过PHPSecInfo ,我认为这个工具非常重要以致于我把它作为独立的一节来介绍。 PHPSecInfo 是一个用来监视生产环境的强大工具,它是CERIAS的Ed Finkler编写的,CREIAS是Purdue大学信息安全与保障教育研究中心的简称。(the Center for Education and Research in Information Assurance and Security at Purdue University.),是PHP安全协会的官方项目(PHPSecInfo威武!),这是PHPSecInfo主页对其一些必要的说明: PHPSecInfo提供一个等价的phpinfo()函数来报告PHP环境的安全信息,并提供改进建议,它目的不是取代安全开发的技术,也不对程序进行任何形式的编码或审核应用。但在使用多层面的安全手段时却是一个很有用的工具。 如果想了解更多信息,下面是一段Ed谈论PHPSecInfo的小采访的链接,还有另外一个链接,是最新发布的0.2版本的通告。 http://devzone.zend.com/node/view/id/1099 http://devzone.zend.com/node/view/id/1735 像所有安全措施一样,(PHPSecInfo) 就其本身,并非银弹(见建议#1的译注 ),但是适当使用,将会成为综合解决方案的一部分。 --------------------------------- |
凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢! |