如何书写安全的PHP代码_PHP
PHP是一个很容易学习的语言, 许多人在没有任何编程背景下学习它作为一种去增加一些互动元素到他们的网站的方法. 不幸的是,这往往意味着PHP程序员,尤其是那些较新的Web开发程序员, 并没有觉察他们网站中潜在安全风险. 这里是一些比较常见的安全问题,以及如何去避免它们。
永远,永远信任你的用户
不能说足够的次数,你应该永远,永远, 信任你的用户向你发送你期望的数据. 我听到很多人回应,大概是"哦,没有恶意的人将对我的网站感兴趣"。这就错了, 这里总是有怀有恶意的用户可以利用一个安全漏洞,问题可以很容易被发现,因为一个用户无意中做错了。
因此, 所有网页的发展的戒律,我不能再压缩了的话就是:永远,永远,相信你的用户。假定你的网站从使用者收集的每片数据含有恶意代码,始终, 你认为已经检查客户端验证的这些数据,例如在JavaScript ,如果你能够达到这个目标,你应该有了一个良好的开端。如果PHP的安全性很重要,这一点就要重要地学习,个人来说,"PHP安全"是一个重大的问题。
全局变量
在许多语言,你必须明确地设定一个变量以使用它。 在PHP中,有一个选项" , register_globals" , 你可以在php.ini中设置,让你可以使用全局变量,而不需要事先声明。
考虑下面的代码:
|
以下为引用的内容: if ($password == "my_password") { $authorized = 1; } if ($authorized == 1) { echo "Lots of important stuff."; } |
许多人看上去觉得没什么问题,而事实上,这方面的代码在整个网站上应用. 但是,如果一个服务器开启"register_globals"。然后,只需添加"?authorized=1"的URL将让任何人都看到. 这是一个最普遍的PHP的安全问题。
所幸的是,这有两个简单的解决办法. 第一,也许最好的,就是把"register_globals"关闭. 二是你必须明确只有你使用变量. 在上面的例子中,这将意味着加入"?authorized=0"; 在脚本的开始:
$authorized = 0;if ($password == "my_password") {$authorized = 1;}if ($authorized == 1) {echo "Lots of important stuff.";}
错误信息
错误信息是一个非常有用的工具,无论是程序员和黑客. 开发者需要它们去改正错误. 黑客可以利用它们来找出一个网站的各种信息, 从目录结构的服务器,数据库登录信息. 如果可能的话,最好是关闭所有的错误报告. PHP可以完成这项工作. htaccess或php.ini,设置"error_reporting" 的值改为"0" . 如果你有一个开发环境,您可以设定不同的错误报告级别。
SQL注入
PHP的一个最大优点就是,它可以方便地与数据库中操作,最显着的MySQL的. 很多人使用这个数据库。不少网站,包括这一个,依赖于数据库的函数. 然而,正如你所料,有这么大的权力你就要够面对庞大的潜在安全问题. 所幸的是,有很多解决办法. 最常见面安全问题是一个数据库 SQL注入-当用户利用一个安全故障在你的数据库运行SQL语句. 让我们用一个常见的例子. 许多登录系统具有以下特点:一条线,看起来象不像是在检查从表单输入的用户名和密码, 比如去控制访问一个管理员区:
$check = mysql_query("Select Username, Password, UserLevel FROM Users Where Username = '".$_POST['username']."' and Password = '".$_POST['password']."'");
看上去很眼熟? 就表面看来,它好像做得不错.上述并不像可以做许多破坏. 但话又说回来,我在"username" 输入框输入这样的值并提交:
'' 或者 1=1 #
这个执行语句现在是这个样子:
elect Username, Password FROM Users Where Username = '' or 1=1 #' and Password = '';
散列符号(#)告诉MySQL的它之后一切,都会被忽略. 所以实际上只是执行的SQL到这一点. 1永远等于1 ,所以SQL将从数据库返回所有的用户名和密码. 在大多数用户登录数据库的首个户名和密码组合都是管理员用户, 他干脆输入了几个符号作为管理员已登录你的网站, 果他们其实都知道的用户名和密码,他们会有同样的权力如。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What software is bonjour and can it be uninstalled?
Feb 20, 2024 am 09:33 AM
Title: Explore the Bonjour software and how to uninstall it Abstract: This article will introduce the functions, scope of use and how to uninstall the Bonjour software. At the same time, it will also be explained how to use other tools to replace Bonjour to meet the needs of users. Introduction: Bonjour is a common software in the field of computer and network technology. Although this may be unfamiliar to some users, it can be very useful in some specific situations. If you happen to have Bonjour software installed but now want to uninstall it, then
What to do if WPS Office cannot open the PPT file - What to do if WPS Office cannot open the PPT file
Mar 04, 2024 am 11:40 AM
Recently, many friends have asked me what to do if WPSOffice cannot open PPT files. Next, let us learn how to solve the problem of WPSOffice not being able to open PPT files. I hope it can help everyone. 1. First open WPSOffice and enter the homepage, as shown in the figure below. 2. Then enter the keyword "document repair" in the search bar above, and then click to open the document repair tool, as shown in the figure below. 3. Then import the PPT file for repair, as shown in the figure below.
What software is crystaldiskmark? -How to use crystaldiskmark?
Mar 18, 2024 pm 02:58 PM
CrystalDiskMark is a small HDD benchmark tool for hard drives that quickly measures sequential and random read/write speeds. Next, let the editor introduce CrystalDiskMark to you and how to use crystaldiskmark~ 1. Introduction to CrystalDiskMark CrystalDiskMark is a widely used disk performance testing tool used to evaluate the read and write speed and performance of mechanical hard drives and solid-state drives (SSD). Random I/O performance. It is a free Windows application and provides a user-friendly interface and various test modes to evaluate different aspects of hard drive performance and is widely used in hardware reviews
CrystalDiskinfo usage tutorial-What software is CrystalDiskinfo?
Mar 18, 2024 pm 04:50 PM
CrystalDiskInfo is a software used to check computer hardware devices. In this software, we can check our own computer hardware, such as reading speed, transmission mode, interface, etc.! So in addition to these functions, how to use CrystalDiskInfo and what exactly is CrystalDiskInfo? Let me sort it out for you! 1. The Origin of CrystalDiskInfo As one of the three major components of a computer host, a solid-state drive is the storage medium of a computer and is responsible for computer data storage. A good solid-state drive can speed up file reading and affect consumer experience. When consumers receive new devices, they can use third-party software or other SSDs to
How to set the keyboard increment in Adobe Illustrator CS6 - How to set the keyboard increment in Adobe Illustrator CS6
Mar 04, 2024 pm 06:04 PM
Many users are using the Adobe Illustrator CS6 software in their offices, so do you know how to set the keyboard increment in Adobe Illustrator CS6? Then, the editor will bring you the method of setting the keyboard increment in Adobe Illustrator CS6. Interested users can take a look below. Step 1: Start Adobe Illustrator CS6 software, as shown in the figure below. Step 2: In the menu bar, click the [Edit] → [Preferences] → [General] command in sequence. Step 3: The [Keyboard Increment] dialog box pops up, enter the required number in the [Keyboard Increment] text box, and finally click the [OK] button. Step 4: Use the shortcut key [Ctrl]
What kind of software is bonjour? Is it useful?
Feb 22, 2024 pm 08:39 PM
Bonjour is a network protocol and software launched by Apple for discovering and configuring network services within a local area network. Its main role is to automatically discover and communicate between devices connected in the same network. Bonjour was first introduced in the MacOSX10.2 version in 2002, and is now installed and enabled by default in Apple's operating system. Since then, Apple has opened up Bonjour's technology to other manufacturers, so many other operating systems and devices can also support Bonjour.
How to resolve an incompatible software attempt to load with Edge?
Mar 15, 2024 pm 01:34 PM
When we use the Edge browser, sometimes incompatible software attempts to be loaded together, so what is going on? Let this site carefully introduce to users how to solve the problem of trying to load incompatible software with Edge. How to solve an incompatible software trying to load with Edge Solution 1: Search IE in the start menu and access it directly with IE. Solution 2: Note: Modifying the registry may cause system failure, so operate with caution. Modify registry parameters. 1. Enter regedit during operation. 2. Find the path\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micros
How to completely remove viruses from mobile phones Recommended methods to deal with viruses in mobile phones
Feb 29, 2024 am 10:52 AM
After a mobile phone is infected with a certain Trojan virus, it cannot be detected and killed by anti-virus software. This principle is just like a computer infected with a stubborn virus. The virus can only be completely removed by formatting the C drive and reinstalling the system. , then I will explain how to completely clean the virus after the mobile phone is infected with a stubborn virus. Method 1: Open the phone and click "Settings" - "Other Settings" - "Restore Phone" to restore the phone to factory settings. Note: Before restoring factory settings, you must back up important data in the phone. The factory settings are equivalent to those of the computer. "It's the same as formatting and reinstalling the system". After the recovery, the data in the phone will be cleared. Method 2 (1) First turn off the phone, then press and hold the "power button" + "volume + button or volume - button" on the phone at the same time.
