原文出处：http://devzone.zend.com/article/1767-PHP-Security-Tip-5
翻译：[email protected]

PHP security is an ongoing mission requiring the programmer to think outside of the parameters of the application. It’s not enough these days to say in your mind “Does this do what I want it to do?” you also have to take into consideration “What else can people use it for and do I want to allow that?” Today’s Security tip is a proverb that all programmers should have to recite daily.

PHP的安全性是一个进行中的任务，需要程序员去考虑程序外面的因素。现在脑子里光说着“这是否已经做到我要它做的？”已经远远不够了。你还得进一步思考“人们用它还能干些什么，我是否允许他们这么做？”今天的安全技巧就是一段所有程序员每天都需要背诵的谚语。

Never trust the user.
永远不要相信用户

It’s a sad fact of life but users are evil. Users want nothing more than to find a way to exploit your application. As soon as you let your guard down and start thinking “I’m only selling small stuffed animals so how evil can my users really be?” you’ve lost the battle.

这是个悲哀的但又无法改变的事实，有些用户是邪恶的。用户无非是想找到一个方法来“开拓”你的程序应用。一旦你放松警惕并开始想“我只是卖卖那些喂饱了的小动物，我的用户会邪恶到哪里去呢？”那你已经在战斗中败下阵来

Ok, maybe it’s not quite that dire but you do have to keep a wary eye on some of your users. That’s where the second proverb that all programmers should recite daily comes in.

好了，或许这不是那么可怕但你还是必须时刻对你的用户保持警惕。
这就是所有程序员第二句必须每天背诵的谚语

Filter Input, Escape Output [FIEO]
过滤输入信息，对输出的信息进行转换

Yes, FIEO (ok, it’s not as cool sounding as GIGO) is one of the mantras that all security minded programmers have live by.

是的，FIEO(好了好了，虽然这个没有像GIGO听上去那么酷)这就是所有带有安全意识程序员的赖以生存的口诀。

评论 (0) All

登陆 | 还没注册？