原文出处：http://devzone.zend.com/article/1778-PHP-Security-Tip-6
翻译：[email protected]

The topic of writing secure applications in PHP covers more than just writing good PHP code. Most applications make use of a database of some kind. Many times, vulnerabilities that affect the entire application, are introduced when building the SQL code. Today's Tip of the Day deals with one easy solution developers can implement.

在书写安全的PHP应用程序这个话题上要涵概的内容可不仅仅是书写优秀的PHP代码。
大多数应用程序会使用了一些数据库。大多数正是在建立SQL代码并在引用的时候，漏洞影响到了整个应用程序。今天的安全技巧将通过一个简单的解决方案来处理此类问题。

When dealing with numbers in a SQL query, always cast.
每当处理SQL查询中的数字时，要记得指引
(译者注：个人认为这里的cast有指引的意思，不要超过它可指定的范围或是类型)

Even if you are filtering your input, a good and easy to implement safety measure is to cast all numeric values in the SQL statement. Take for example the following code.

即便你过滤了输入的信息，将SQL声明中所有数字型的值进行指引也不失为一个又好又容易执行的安全方法。下面的代码就是个举例。

$myId = filter_var($_GET['id'],FILTER_VALIDATE_INT);
$sql = 'SELECT * FROM table WHERE id = '.$myId;

Even though you are applying the native PHP filters built into PHP 5.2, there is something additional you can do. Try this instead.

尽管你应用了内置于PHP5.2的过滤器，这还是有一些东西是你应该加上去的，用下面这段替换上面的代码。

$myId = filter_var($_GET['id'],FILTER_VALIDATE_INT );
$sql = 'SELECT * FROM table WHERE id = '.(int)$myId;

This final cast of the variable to an int removes any doubt about what will be passed to MySQL. The example above is purposefully simplified. In real-life situations, the code would be more complex and the chance for error much greater. By applying the final cast to in building the select statement, you are adding one more level of safety into your application.

最后将要传送给MYSQL的变量经过指引毫无疑问是int类型。
上面的举例目的非常简单。在实际应用中可能会复杂一些并有很大的几率会出现错误。通过应用内置于select 声明的指引将会让你的应用程序安全度进一步提高

评论 (0) All

登陆 | 还没注册？