快速业务通道

[翻译]PHP安全小建议( 下)

作者 佚名技术 来源 NET编程 浏览 发布时间 2012-05-23
糟的,在test.php“一段快速代码片断",它们都会潜在地泄露关于系统的危险信息,不要再助那些发广告的家伙(ad guys)一臂之力了。

  p.s. 你也有安全方面的小建议,把它发布出来吧,能和他人分享是一件再好不过的事了,只要登录并点击右上角的贡献按钮。

  ------------------------------------------------------------------------------

  PHP Security Tip #16

  sascha_leib | 1 comment | Monday, March 26, 2007

  Keep Your Framework Up to Date

  I have posted it before as comment, but since I believe that this is a very important issue, it might be worth a ‘security tip’ of its own:

  Make sure any framework you are using is updated regularly.

  This is especially important if you are working on a ‘one-shot’ client project. It is important to think about who is going to maintain the site if (or rather: when) a security patch is issued for any of the 3rd party files.

  Usually, these sites are placed on a shared hosting site, and that means the provider is responsible for keeping PHP, database system, web server, etc. up to date – but they will probably not maintain the frameworks you have installed.

  Using frameworks is generally a good idea – not only because they take a lot of the work away from you, but also because any potential security issue will (usually) quickly be dealt with.

  On the other side, this means that security issues in these frameworks are very well documented – and it is all to easy for a malicious hacker to search for old versions of the framework in use, and exploit these problems.

  I have seen many, many sites which are still using extremely old and outdated files – simply because there is nobody there to update it. And I’m talking about old PEAR installs (with known issues with the ‘Mail’ component) and worse!

  ------------------------------------------------------------------------------

  PHP 安全建议 #16

  保持框架的更新

  我已经在之前的评论中发表过了,但鉴于我相信它是非常重要的话题,它有可能值得独立作为一个“安全建议”

  务必经常更新任何你使用的框架。

  如果你工作在"一次性"的客户项目上,这点尤其重要。很关键的是要考虑到,如果(或者当)第三方软件补丁发布的时候,由谁去维护这个站点。

  通常这些网站是放在共享主机的站点上面的,这意味着供应商有责任为PHP,数据库系统和Web服务器保持更新。但他们不太可能维护你安装的框架。

  一般来说使用框架是一件好事,不仅因为它可以为减少大量的工作,而且任何潜在的安全问题将(通常)会得到快速处理。

  另一方面,这也意味着这些框架的安全问题很好地被文档化了,同时也方便了不怀好意的黑客搜索系统使用框架

  的旧版本并通过这些安全问题进行爆破。

  我看过很多很多的网站仍然在使用一些非常老的、过期的文件,仅仅是因为没有人去更新它,还在使用旧版 的PEAR 库(其中广为人知的Mail组件安全问题) 的网站会更糟!

凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!

分享到: 更多

Copyright ©1999-2011 厦门凌众科技有限公司 厦门优通互联科技开发有限公司 All rights reserved

地址(ADD):厦门软件园二期望海路63号701E(东南融通旁) 邮编(ZIP):361008

电话:0592-5908028 传真:0592-5908039 咨询信箱:web@lingzhong.cn 咨询OICQ:173723134

《中华人民共和国增值电信业务经营许可证》闽B2-20100024  ICP备案:闽ICP备05037997号