原文：http://devzone.zend.com/article/1821-PHP-Security-Tip-12

We’ve talked about filtering, we’ve talked about validating, we’ve talked about filtering again. Filtering inputs into your application is an important concept and the pre-cursor to many good security practices. However, once you have the input filtered and validated you can’t simply sit back and relax. You have to stay vigilant when programming to ensure security throughout your application.

我们曾经谈到了关于过滤，我们还谈到了有关校验，我们又要讨论有关过滤的话题了。在往你的程序里加入过滤后的信息是一个非常重要的概念，而且这是许 多好的安全策略的前奏。然而即便你已经对输入的信息进行了过滤以及校验还是不可以就此放松，你必须保持警惕确保你的程序在运行过程中是安全的。

 

Filtering input gives some developers a false sense of security. They assume that since they;ve filtered the input, there’s no reason to worry. That may be true in some simple instances but in most complex applications, you have to constantly be aware of what you are using the input for. This is never more true than when using user input in the eval() command. That brings us to today’s tip:

输入信息的过滤有时候会给开发人员错误的安全感。因为他们为输入的信息进行了过滤而假设它是安全的，所以没必要担心。在一些简单的要求下这或许是正 确的，但在复杂的程序面前，你就必须不断的察觉到自己所使用的输入信息。当使用了在eval()命令中的用户输入信息这将不再是正确的。

Think carefully before using eval()
在使用eval()前进行仔细的考虑

By using user-inputted values in an eval(), you are potentially giving a malicious user a gateway to your server. Even if your interface forces them to chose only predefined options, the call to your script can be spoofed and your script can potentially be used to execute commands on demand by people who want to do bad things.

在使用eval()内的用户输入信息时，你正在给那些来意不善的用户一个进入你服务器的入口。即便你的界面强制他们只能选择预先规定好的选选项，还是可以欺骗你所调用的脚本以及你那些潜在的可用来执行那些想做坏事的家伙想要的命令。

Use eval() sparingly. When you do have to use it, make sure you filter and then validate the input. If there are other ways to accomplish the task then consider using them instead.

谨慎的使用eval() 函数，当你必须得使用它的时候，要确保你有对输入信息的过滤以及后面的校验过程 。如果有其他方法可以完成同样的效果，那就使用它们来替代eval()。

评论 (0) All

登陆 | 还没注册？