{"id":1254,"date":"2006-01-22T23:35:39","date_gmt":"2006-01-22T15:35:39","guid":{"rendered":"http:\/\/ihower.idv.tw\/blog\/archives\/1254"},"modified":"2007-02-11T22:27:45","modified_gmt":"2007-02-11T14:27:45","slug":"php-security","status":"publish","type":"post","link":"https:\/\/ihower.tw\/blog\/1254-php-security","title":{"rendered":"PHP Security Guide"},"content":{"rendered":"<p>\u9019\u79ae\u62dc\u628a PHP Security Guide ( <a href=\"http:\/\/phpsec.org\/projects\/\">phpsec.org\/projects\/<\/a>\u00a0) \u770b\u5b8c\u4e86\uff0c\u9084\u883b\u4e0d\u932f\u7684\u4e00\u4efd\u6587\u4ef6\u3002<\/p>\n<p>\u6700\u57fa\u672c\u6b65\u9a5f 1.\u8003\u91cf\u58de\u5fc3\u7684\u4f7f\u7528\u8005 2.\u8981\u81ea\u6211\u6559\u80b2\u5b89\u5168\u77e5\u8b58 3.<strong>\u904e\u6ffe\u6240\u6709\u4f86\u81ea\u5916\u90e8\u7684\u8cc7\u6599<\/strong>\u3002\u4ee5\u4e0b\u5c0f\u8a18\u5e7e\u500b\u91cd\u9ede:<!--more--><\/p>\n<p>1.Register Globals \u9020\u6210\u7684\u5f71\u97ff\uff0c\u5efa\u8b70\u958b\u767c\u6642\u6253\u958b E_ALL\uff0c\u521d\u59cb\u6240\u6709\u8b8a\u6578\u3002<\/p>\n<p>2.\u4ecb\u7d39<a href=\"http:\/\/ha.ckers.org\/xss.html\">XSS<\/a>\u653b\u64ca\u3002\u4e00\u5b9a\u8981\u904e\u6ffe\u8cc7\u6599\uff0c\u4e26\u4f7f\u7528\u73fe\u6210\u7684PHP function\u4f86\u8655\u7406( htmlentities(),strip_tags(), utf8_decode() \u7b49)\uff0c\u4f7f\u7528\u767d\u540d\u55ae\u800c\u4e0d\u7528\u9ed1\u540d\u55ae\u904e\u6ffe\u3002\u5efa\u8b70\u4f7f\u7528 naming convention \u4f86\u5e6b\u5fd9\u5340\u5206\u8cc7\u6599\uff0c\u5982\u00a0$clean \u8868\u793a\u6240\u6709\u8655\u7406\u597d\u7684\u8cc7\u6599\u3002<\/p>\n<p>3.\u4ecb\u7d39CSRF\u653b\u64ca\u3002\u5efa\u8b70\u4f7f\u7528 post \u65b9\u6cd5\u800c\u5c11\u7528 get\u3002\u4f7f\u7528 $_POSt \u800c\u975e $_REQUEST\u3002\u63a5\u6536\u8868\u55ae\u6642\u6aa2\u67e5\u4f86\u81ea\u6b63\u78ba\u7684\u8868\u55ae\u9801\u9762(\u4f7f\u7528token\u6280\u5de7)<\/p>\n<p>4.\u5efa\u8b70\u8b93\u4e00\u4e9b library file \u653e\u5728\u7db2\u7ad9\u5916\uff0c\u6216\u662f\u8a2d\u5b9aapache \u8b93 library \u76ee\u9304\u4e0d\u53ef\u8b80\u53d6\u3002\u800c database access \u5e33\u865f\u5bc6\u78bc\u5247\u5efa\u8b70\u7528 root \u53e6\u5b58\u6587\u5b57\u6a94\uff0c\u7136\u5f8c\u5728 httpd.conf \u4e2d\u53bb\u8b80\u53d6(\u9084\u662f\u8981\u5c0f\u5fc3phpinfo\u6703\u6d29\u6f0f)\u3002<\/p>\n<p>5.\u4ecb\u7d39SQL Injection\uff0c\u7528 mysql_escape_string() \u4f86\u8655\u7406\uff0c<a href=\"http:\/\/shiflett.org\/archive\/184\">\u4e0d\u8981\u7528 addslashed()<\/a>\u00a0\u3002<\/p>\n<p>6.\u4ecb\u7d39 Session Fixation \uff0c\u5efa\u8b70\u5728\u91cd\u8981\u6642\u523b(\u66f4\u6539\u4f7f\u7528\u8005\u6b0a\u9650\u7684\u6642\u5019)\u96a8\u6642\u4f7f\u7528 session_regenerate_id() \u63db SESSION ID\u3002<\/p>\n<p>7.\u9810\u9632 Session Hijacking \uff0c\u4f7f\u7528\u80fdconsistent\u7684\u8cc7\u6599(\u5982\u00a0 HTTP_USER_AGENT)\u4f86\u78ba\u5b9a\u4f7f\u7528\u8005\u662f\u540c\u4e00\u4eba\u3002<\/p>\n<p>8.\u4ecb\u7d39Shared Hosts\u7684\u5371\u96aa\u3002\u5efa\u8b70 session data\u53ef\u4ee5\u653e\u5230\u8cc7\u6599\u5eab\u800c\u4e0d\u8981\u653e \/tmp\u3002\u4f7f\u7528 safe_mode\u4f86\u9650\u5236 PHP\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u9019\u79ae\u62dc\u628a PHP Security Guide ( <a href=\"http:\/\/phpsec.org\/projects\/\u00a0\" class=\"autohyperlink\">phpsec.org\/projects\/\u00a0<\/a>) \u770b\u5b8c\u4e86\uff0c\u9084\u883b &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/ihower.tw\/blog\/1254-php-security\" class=\"more-link\">\u95b1\u8b80\u5168\u6587<span class=\"screen-reader-text\">\u3008PHP Security Guide\u3009<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[36,5,40],"tags":[],"class_list":["post-1254","post","type-post","status-publish","format-standard","hentry","category-php","category-programming","category-security","entry"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1q6tG-ke","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/ihower.tw\/blog\/wp-json\/wp\/v2\/posts\/1254","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ihower.tw\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ihower.tw\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ihower.tw\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ihower.tw\/blog\/wp-json\/wp\/v2\/comments?post=1254"}],"version-history":[{"count":0,"href":"https:\/\/ihower.tw\/blog\/wp-json\/wp\/v2\/posts\/1254\/revisions"}],"wp:attachment":[{"href":"https:\/\/ihower.tw\/blog\/wp-json\/wp\/v2\/media?parent=1254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ihower.tw\/blog\/wp-json\/wp\/v2\/categories?post=1254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ihower.tw\/blog\/wp-json\/wp\/v2\/tags?post=1254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}