PHP和编程中的用户输入验证和安全性/一般安全性
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了PHP和编程中的用户输入验证和安全性/一般安全性相关的知识,希望对你有一定的参考价值。
I got most of these tips out of a great book published by O'Reilly (my favorite web-design publisher): "Programming php, 2nd Ed." by Lerdorf, Tatroe, and McIntyre. Another good book is "Essential PHP Security," also published by O'Reilly.
Regarding user input (e.g. web forms, but pretty much any possible user input): Always clean your output (to prevent XSS, or Cross-Site Scripting): Never accept user input for filenames! Write your own filename, perhaps based on pre-cleaned user input, but preferably just an alphanumeric name of your choice (which can be stored in the db for reference). And before you write the file, use the PHP functions "basename" and "realpath" (i.e. basename(realpath($filename)) ) in order to establish exactly where the file would end up if you do write it as is. Also very important: before creating the file, use the PHP function "umask," i.e. umask(077), so that files have their permissions locked down before they are created. This prevents someone from accessing the file before you have time to manually change the permissions. Whenever a user logs in, use the PHP function "session_regenerate_id" to prevent fraudulent access to their account or a session-fixation attack. More to come... Please post your own.
以上是关于PHP和编程中的用户输入验证和安全性/一般安全性的主要内容,如果未能解决你的问题,请参考以下文章