当前位置: 首页 > 网络学院 > 服务端脚本教程 > PHP > PHP 安全技巧连载 #11[译]
原文出处:http://devzone.zend.com/article/1817-PHP-Security-Tip-11
翻译:[email protected]
I think we can all agree that users are at once the boon and the bane of our applications. On the one hand, if it weren’t for users, we wouldn’t have security problems. On the other hand, if we didn’t have users, we wouldn’t need the application to begin with. So we can all agree with the fact that in most cases, users aren’t going away. This means that we have to factor them into our security mind-set. One good principal to adopt is:
我想大家都同意这点,用户是我们程序的受益者也是危害者。在某方面可以这么说,如果没有用户,那么我们不会遇到安全问题。另一方面,如果我们没有用户,那我们起初也不需要搞应用程序了。因此我们就可以在绝大多数情况下承认这个事实,用户不会消失。这意味着我们必须考虑到我们的安全思维定势。一个有效的原则(方法)是采用:
The Principle of Least Privileges
最小权限原则
Grant permissions to users only to the level needed
只授予用户他们所需要的许可权
This is a basic programming principal and can be seen most readily in Unix security. When dealing with users and resources in Unix, users have to be explicitly granted access to resources. Permissions are granted in such a way as to give the user the least permission necessary to gain access to the resource. We can adopt this concept when building our applications by considering carefully the users who will need to access each page and feature.
这是最基础的程序设计原则,而且在Unix 安全性中可以非常容易的见到(译者注:Unix系统可以为每个不同的系统用户分配权限)。在Unix中要处理用户以及资源的时候都需要有明确的访问许可权。在分配许可权时就做到只给用户在访问需要的资源时所需要许可权。在建立我们的应用程序时就可以采用这个概念,考虑用户将需要获得每个页和专栏。
Most modern PHP frameworks have the concepts or authentication and access control. In the Zend Framework, authentication is handled by Zend_Auth but access control, a separate issue, is handled with Zend_Acl
最流行的PHP框架拥有了在访问控制器时的身份验证概念。在Zend Framework里,验证由Zend_Auth 进行处理,除此之外还可由 Zend_Acl 处理控制器的访问
Whichever framework you use, good security practices suggest that you carefully consider the access restrictions you place on each page or feature. Whenever possible, limit access to the fewest number of users possible.
不论你使用的是哪个框架,出于良好的安全考虑,建议你在每个页面和专栏里都加上访问的限制。只要有可能尽量减少对于用户访问的限制(在不影响安全的情况下)