[英]Make web application secure
I wanted to make a new php web application and if I follow the following things, it my site then safe? 我想制作一个新的php Web应用程序,如果我遵循以下内容,那么我的网站安全吗?
Security is not something that can be bolted on - it's a constant process of improvement. 安全性是无法提高的,它是一个不断改进的过程。
addslashes
will not help you - you need to be escaping the output with htmlentities
. addslashes
不会帮助您-您需要使用htmlentities
转义输出。 There are many more things to consider for security like XSS , CSRF ... 对于安全性,还有许多其他要考虑的因素,例如XSS , CSRF ...
If you can get the book The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws . 如果可以阅读《 Web应用程序黑客手册:发现和利用安全漏洞》一书 。 It's full of useful advices.
它充满了有用的建议。
And, I'll say it again - security is not a feature - it's a measurement. 而且,我会再说一遍-安全不是功能-它是一种度量。 There is not 100% secure application (or anything actually).
没有100%安全的应用程序(或任何实际的应用程序)。 The assumption of security is to make breaking it more expensive than what's behind it - if your site is dealing with money - you need more security - if you are dealing with giftcards - you might get away even without doing the things you suggested (which will be a very bad idea, but still).
安全性的假设是使破坏它的成本比其背后的成本更高-如果您的网站正在处理金钱-您需要更高的安全性-如果您正在处理礼品卡-即使不执行建议的操作,您也可能会逃脱(这样做会是一个非常糟糕的主意,但仍然)。
Unfortunately there is a lot that can go wrong with web application secuirty. 不幸的是,Web应用程序的安全性可能会出错。 I recommend reading the OWASP Top 10 .
我建议阅读OWASP Top 10 。 Also, make sure to read #5 XSRF.
另外,请确保阅读#5 XSRF。
"escaping" input doesn't say very much. “转义”输入并不能说太多。 Data can be used in many different insecure ways.
数据可以以多种不同的不安全方式使用。 For instance the best way to prevent xss for PHP is:
例如,防止xss for PHP的最佳方法是:
htmlspecialchars($_GET['var'],ENT_QUOTES);
A good way to prevent sql injection for msyql is: 防止msyql注入SQL的好方法是:
mysql_query("select * from mysql.user where id='".mysql_real_escape_string($id)."'");
Make sure you put the quote marks around all variables, or the query will be vulnerable to sql injection. 确保在所有变量周围加上引号,否则查询将容易受到sql注入的攻击。 But a more bullet proof approach is using parametrized queries (adodb, pdo...).
但是,更安全的方法是使用参数化查询(adodb,pdo ...)。 But xss and sql injection is only the tip of the ice burg, a whole lot more can go wrong with php.
但是xss和sql注入只是冰山一角,php可能会出错。 I recommend reading the FREE paper A Study in Scarlet for specifically PHP security pitfalls.
我建议阅读专门针对PHP安全陷阱的免费论文《猩红研究》 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.