原文出处：http://devzone.zend.com/article/1793-PHP-Security-Tip-8
翻译：[email protected]

Withing PHP security topics, there is always more than one way to accomplish a task. Many times it's by combining tactics that we achieve the best security. We've already talked about filtering but beyond filtering we still need to be vigilant and validate input coming in from a user. This brings us to our PHP security of the day.

在PHP安全性这个话题上，总归有多种方法来完成某个任务。许多时候到达到最好的安全效果需要通过多结合性的策略。我们已经谈到了有关过滤的话题但除了过滤我们还需要警惕并要验证来自用户输入的信息。今天的PHP安全由此展开。

Always validate user input.
始终要检验用户的输入信息

Take for example the following code:
以下面的代码做为举例：

 

<?php
$myFile = filter_var($_GET['file'], FILTER_SANITIZE_STRING);
include($myFile);
?>

Calling http://example.com/file.php?file=home.php will cause your script to include the file home.php in your current directory. However, if someone comes along and requests http://example.com/file.php?file=badcode.php you will be potentially exposing yourself to executing their code, or your code that you do not want executed in that context.

调用 http://example.com/file.php?file=home.php 将会导致你的脚本去包含当前目录中的文件home.php。如果某人请求了 http://example.com/file.php?file=badcode.php 那你将有潜在的可能性会去执行他们的脚本，或是执行你的代码中不想执行的那一部分。


Do not depend solely on file_exists(). Just because it's a local file does not mean that it's a valid file or even that it's your file. Don't give hackers an easy easy to execute their code on your server.

不要单独依靠file_exists()函数。因为这仅仅为本地文件而并不意味着这是个有效的文件甚至这是否为你的文件（都不得而知）。不要给黑客任何简单的方法在你的服务器上执行他们的代码。

To protect against this, always filter and validate:
要阻止这些，就要始终对信息进行过滤和检验

<?php
// filter
$myFile = filter_var($_GET['file'], FILTER_SANITIZE_STRING);

// Then validate
$valid = array('home.php', 'about.php');
If (!in_array($myFile, $valid)) {
 die('Leave, evil hacker');
}

include($myFile);

?>

评论 (0) All

登陆 | 还没注册？