原文出处：http://devzone.zend.com/article/1815-PHP-Security-Tip-10
翻译：[email protected]

Even when doing everything correctly, it’s still possible to build PHP applications that are insecure. Security requires constant vigilance. One thing you always have to keep your eye on is any script or form that sends an email based on use input.

哪怕是在建立PHP程序时每样工作都做的很到位还是有可能出现安全问题。安全需要做到时刻警觉。有个东西是需要你必须注意的，那就是任何基于 input 发送邮件的脚本或是表单

Many applications written in PHP use the built-in mail() function to respond to user input by triggering an email.

有很多程序通过内置的 mail() 函数通过触发邮件来反馈给用户。

Do not blindly send mail using information entered into a form.
当用到给表单输入信息的时候请不要盲目的使用发送邮件

As we’ve discussed in other tips on PHP security, you have to make sure you properly filter and validate your user input. If you do not properly filter your input, it becomes easy for someone to perform an email header injection and spam thousands of people before you’ll even notice.

正如我们在其他PHP安全技巧讨论到的一样。你必须确保你正确的过滤并检验过你用户的输入信息。如果没有那么甚至在你察觉之前对于某些人来说执行一个邮件 header 注入给成千上万的人发送垃圾信息将变的非常容易。

For further reading on email header injection, I recomend this page at securephpwiki.com.

要了解到有关邮件 header 注入相关的信息，我推荐在securephpwiki.com上的 这页

评论 (0) All

登陆 | 还没注册？