发表新帖
发表新帖

What security issues should I look out for in PHP

后端 未结
关注
18 1856
挽巷
挽巷 2020-11-29 01:51

I just starting out learning PHP, I\'ve been developing web apps in ASP.Net for a long time. I was wondering if there are any PHP specific security mistakes that I should be

相关标签:
18条回答
  • 遥遥无期
    2020-11-29 02:20

    Have a look at the Suhosin Hardening Patch, and check out the security vulnerabilities that it addresses.

    0 讨论(0)
  • 深忆病人
    2020-11-29 02:21

    The PHPSec Guide gives a good overview.

    0 讨论(0)
  • 挽巷
    2020-11-29 02:22

    don't use "Register Global Variables" and filter user input for xss and injections

    0 讨论(0)
  • 借酒劲吻你
    2020-11-29 02:22

    There are tons of safety precautions. I can recommend a book Chris Shiflett: PHP and Web Application Security.

    http://phpsecurity.org/

    0 讨论(0)
  • 耶瑟儿~
    2020-11-29 02:26
    • Cross Site Scripting (XSS) Wiki, Google
    • Cross Site Request Forgery (XSRF/CSRF) Wiki, Google (thanks Rook)
      • Session Fixation Wiki, Google
    • SQL Injection (SQLi) Wiki, Google
    • Turn off error messages in Production environments
    • Keep any "include" code in a directory that is not web-accessible (either deny access or keep it outside of the webroot)
    • Here's an article I wrote about storing passwords in a secure way, and if you don't feel like taking my word for it, check the links at the bottom.
    • Also linked in my article, but given its own separate link here, is a paper published by M.I.T. called The DOs and DON'Ts of Client Authentication on the Web [PDF]. While some of its info (recommendation to use MD5 hash, for one) is somewhat out of date simply because of what-we-know-now versus what-we-knew-then, the overall principles are very strong and should be considered.
    • One of Rooks' links reminded me of another important set of restrictions
      • Turn off Register Globals (This is the default now, so I hadn't mentioned it before)
      • When dealing with file uploads, be sure to use is_uploaded_file() to validate that a file was uploaded and move_uploaded_file() instead of copy() or rename().
        • Read this section of the PHP Manual if you need to know why (and you do).
    • Since I've now mentioned him twice, check out Rooks's Answer (https://stackoverflow.com/questions/2275771/what-are-the-most-important-safety-precautions-that-a-php-developer-needs-to-know#2275788) as it includes a link to a document which contains (Non-PHP-Specific) information on the most important security concerns (and this therefore probably the right answer).
    0 讨论(0)
  • 余生分开走
    2020-11-29 02:28

    OWASP provides a lot of insight into security issues that are the biggest problems in applications today. It is nice to see that they have a PHP dedicated page available

    http://www.owasp.org/index.php/PHP_Top_5

    0 讨论(0)
 看不清?
提交回复
热议问题