5 PHP Security Measures
本帖最后由 ulovko 于 2012-07-12 19:51 编辑多年来,PHP一直是一个稳定的、廉价的运行基于web应用程序的平台。像大多数基于web的平台一样,PHP也是容易受到外部攻击的。开发人员、数据库架构师和系统管理员在部署PHP应用程序到服务器之前都应该采取预防措施。大部分预防措施可以通过几行代码或者把应用程序设置稍作调整即可完成。
#5:管理安装脚本
如果开发人员已经安装了一套第三方应用程序的PHP脚本,该脚本用于安装整个应用程序的工作组件,并提供一个接入点。大多数第三方软件包都建议在安装后,删除该目录包含的安装脚本。但开发人员希望保留安装脚本,他们可以创建一个.htaccess文件来控制管理访问目录。AuthType Basic
AuthName “Administrators Only”
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user任何未经授权的用户,如果试图访问一个受保护的目录,将会看到一个提示,要求输入用户名和密码。密码必须匹配指定的“passwords”文件中的密码。
#4:头文件
在很多情况下,开发人员可以将分布在应用程序的几个脚本包含进一个脚本里。这些脚本将包含一个“include”指令,集成单个文件到原始页面的代码里。当“include”文件包含敏感信息,包括用户名、密码和数据库访问密钥时,该文件的扩展名应该命名成“.php ",而不是典型的“.inc”扩展。“.php”扩展确保php引擎将处理该文件,并防止任何未经授权的访问。
#3: MD5 vs. SHA
在某些情况下,用户最终会创建自己的用户名和密码,而站点管理员通常会对表单提交的密码加密,并保存在数据库中。在过去的几年中,开发人员会使用MD5(消息摘要算法)函数,加密成一个128位的字符串密码。今天,很多开发人员使用SHA-1(安全散列算法)函数来创建一个160位的字符串。
#2: 自动全局变量
php.ini文件中包含的设置称为“register_globals”。P服务器会根据register_globals的设置,将会为服务器变量和查询字符串自动创建全局变量。在安装第三方的软件包时,比如内容管理软件,像Joomla和Drupal,安装脚本将引导用户把register_globals设置为“关闭”。将设置改变为“关闭”可以确保未经授权的用户无法通过猜测变量名称及验证密码来访问数据。
#1: 初始化变量和值
许多开发人员都落入了实例化变量不赋值的陷阱,原因可能由于时间的限制而分心,或缺乏努力。身份验证过程中的变量,应该在用户登录程序开始前就有值。这个简单的步骤可以防止用户绕过验证程序或访问站点中某些他们没有权限的区域。
FROM: http://www.developerdrive.com/2012/07/5-php-security-measures/
For many years, PHP has been a stable, inexpensive platform on which to operate web-based applications. Like most web-based platforms, PHP is vulnerable to external attacks. Developers, database architects and system administrators should take precautions before deploying PHP applications to a live server. Most of these techniques can be accomplished with a few lines of code or a slight adjustment to the application settings.
#5: Manage Setup Scripts
If the developer has installed a set of PHP scripts from a third-party application, the scripts the application uses to install the working components can also provide an access point to unscrupulous users. Most providers of third-party packages recommend removing the directory containing the setup scripts shortly after installation. For developers who wish to retain the setup scripts, they can create an .htaccess file that controls access to the administrative directories.AuthType Basic
AuthName “Administrators Only”
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-userAny unauthorized user who attempts to bring up a protected directory will see a prompt for a username and password. The password must match the assigned password specified in the “passwords” file.
#4: Include Files
In many instances, developers may use an individual file in several portions of an application. These scripts will contain an “include” directive that incorporates the code of the individual file into that of the originating page. When the “include” file contains sensitive information, including usernames, passwords or database access keys, the file should have a “.php” extension, rather than the typical “.inc” extension. The “.php” extension insures that the PHP engine will process the file and prevent any unauthorized views.
#3: MD5 vs. SHA
In situations where end users create their own usernames and passwords, site administrators will often include functionality to encrypt the password data before the form submits the form field entry to the database field. In past years, developers have used the md5 (Message Digest algorithm) function to encrypt passwords into a 128-bit string. Today, many developers use the SHA-1 (Secure Hash Algorithm) function to create a 160-bit string.
#2 Automatic Global Variables
The php.ini file contains a setting called “register_globals”. When the register_globals setting is on, the PHP server will create automatic global variables for many of the server’s variables and query strings. When installing third-party packages, such as content management software like Joomla and Drupal, the installation scripts will direct the user to set register_globals to “off”. Changing the setting to “off” insures that unauthorized users cannot access data by guessing the name of the variable that validates passwords.
#1 Initialize Variables and Values
Many developers have fallen into the trap of instantiating variables without defining their values, either due to time constraints, distractions, or lack of effort. Variables that validate the authentication process should have values instantiated before the login procedure begins. This simple step can prevent users from bypassing the verification routine or accessing areas of the site to which their privileges do not entitle them.
These steps can block users from starting a new session on an application, but what about protecting data during a session?Next week’s lesson will examine PHP session security. #2: 自动全局变量
最新版本的php默认就是关闭的。
页:
[1]