[翻译]PHP安全小建议(上)
日期:2012-03-20 浏览次数:20473 次
近日比较关注PHP的安全问题,国内的许多开发者,特别是PHP初学者,很多时候仅满足功能是否实现,对安全的探讨浅尝辄止甚至漠不关心。这样的后果很严重,比如泛滥的SQL注入,甚至还有直接被下载数据库连接文件的……此文译自Cal Evans发表DevZone的系列专题:PHP Security Tip (安全建议/小窍门) 虽然不是最新文章,但提到的许多原则性的东西和经典的做法仍然是值得重视的,绝对是值得一读的好文章,借此抛砖引玉,希望能给大家一点帮助,建立良好的安全意识,了解必要的防范措施。 文中加入本人的理解和注释的地方已经注明,首次翻译,不当之处欢迎指出。谢谢
,原书共21个建议,这是翻译的上部。
PHP Security Tip #1
Cal Evans (editor) 2 comments Thursday, March 1, 2007
Looking for the security silver bullet? I’ve got bad news for you, there isn’t one. Security take an ongoing effort and a lot of little things instead of one big one. This month we are kicking off a new feature on DevZone, “Security Tip of the Week”. To kick this off right we will post one a day during March. Some of these tips will be specific things you can do, some will be general concepts you need to be aware of, all of them will be brief. So without further comment, here’s the first “Security Tip of the Week”.
Comment
MAILING LIST
1:17PM UTC · Rob [unregistered]
It can often be a good idea to join the relevant mailing list. You can find the announcement list for new releases of PHP below.
http://www.php.net/mailing-lists.php
------------------------------------------------------------------------------
PHP安全小建议1
如果你在寻找安全方面的银弹(在西方基督教的传说中,只有银弹击中心脏,才可以杀死恶魔(吸血鬼? 狼人)。在Fred Brooks关于软件工程的著名书籍《人月神话里》和《没有银弹》中,把规模越来越大的软件开发项目比作无法控制的怪物,即希望有一样技术,能够像银弹彻底杀死恶魔那样,彻底解决这个问题。译者注),我有一个坏消息要告诉你,没有银弹。安全问题需要持续不断的努力和大量琐碎的工作而不是作为单一的大问题来解决,这个月我们将在DevZone开始一个新的专题,"一周安全小建议", 作为开始,在三月期间,我们将每天发布一个建议。有些建议将是一些你可以动手做的具体的事情,另一些则是你需要注意的一般概念,所有的建议都很简短,好了,闲话少说,下面开始我们第一个"一周安全小建议"。
评论:
邮件列表
参与相关的邮件列表是一个好主意,你可以在下列地址找到最新的PHP发布新闻的公告列表!
http://www.php.net/mailing-lists.php
------------------------------------------------------------------------------
PHP Security Tip #2
Cal Evans (editor) 3 comments Friday, March 2, 2007
Security by obscurity is no security at all. On the other hand you don't want to give away information about your site either. Today's tip is a simple one but one that is often overlooked in production environments.
Make sure you do not display errors and potentially leak information about your site.
Simply setting display_errors = Off in your php.ini of your production server will prevent you from leaking information that may give intruders hints to the structure of your system. By default, display_errors = On.
You can find more information and error reporting options in the manual's Error Handling and Logging Functions Introduction section.
------------------------------------------------------------------------------
PHP安全建议#2
使用隐藏信息来保证安全不能从根本上起到安全作用(Security by obscurity is no security at all.),但另一方面你也不想泄露你的站点信息。
今天的建议很简单,但在生产环境下却经常被忽视。
务必不要显示错误信息和站点的潜在泄密信息
只要简单地在生产服务器的php.ini 设置display_errors = Off ,就可以防止泄露系统结构信息,让入侵者有机可乘。默认的设置是:display_errors = On.
在手册的错误处理和日志函数介绍一节,你可以找到更多信息和错误报告选项。
------------------------------------------------------------------------------
PHP Security Tip #3
Cal Evans (editor) 1 comment Monday, March 5, 2007
Being Security conscious is a good thing but that alone won’t solve the problem. Developers have to be vigilant when it comes to security. Even then you can’t do it alone. Today’s Security tip reminds you of this.
Since your application may be harboring security vulnerabilities that you have not been exposed to, third-party security software or services should be considered to help bring a fresh perspective and find overlooked weaknesses.
As a developer you should have tools in your toolbox that will help you find security vulnerabilities in your applications. Tools like Chor
