中英结合的方式果然不错。我以前曾转载国人对于php安全编程的总结。有人说是老生长谈。这回看看外国朋友的作品。
据最新的调查,php语言的使用率竟超过了老牌语言c++,成为使用率第三位的编程语言。它有很多有用的功能,不过可能出现的问题也不少。这篇文章就列出了五条常用的建议以帮助你创造安全的php应用。
PHP is one of the most popular programming languages for the web. Sometimes a feature-friendly language can help the programmer too much, and security holes can creep in, creating roadblocks in the development path. In this tutorial, we will take a look at 5 tips to help you avoid some common PHP security pitfalls and development glitches.
建议1:使用错误报告要合适
Tip 1: Use Proper Error Reporting
开发过程中,错误报告挺有用。它能帮你找到一系列问题。但如果你在正式应用里仍打开这一功能,那会给不怀好意者以丰富信息。你可以在所有应用的文件代码前加入error_reporting(0);
如果出现某些问题你确实想知道,那么应该将错误报告输入到一受保护的文件中,这可以用函数 set_error_handler完成。
During the development process, application error reporting is your
best friend. Error reports can help you find spelling mistakes in your
variables, detect incorrect function usage and much more. However, once
the site goes live the same reporting that was an ally during
development can turn traitor and tell your users much more about your
site than you may want them to know (the software you run, your folder
structure, etc).
Once your site goes live, you should make sure to hide all error
reporting. This can be done by invoking the following simple function
at the top of your application file(s).
If something does go wrong, you still want and need to know about
it. Therefore, you should always make sure to log your errors to a
protected file. This can be done with the PHP function set_error_handler.
建议2:关闭php的坏功能