[翻譯]PHP安全小建議（上）

　　近日比較關注PHP的安全問題，國內的許多開發人員，特別是PHP初學者，很多時候僅滿足功能是否實現，對安全的探討淺嘗輒止甚至漠不關心。這樣的後果很嚴重，比如泛濫的SQL注入，甚至還有直接被下載資料庫連接檔案的……此文譯自Cal Evans發表DevZone的系列專題：PHP Security Tip (安全建議/小竅門) 雖然不是最新文章，但提到的許多原則性的東西和經典的做法仍然是值得重視的，絕對是值得一讀的好文章，藉此拋磚引玉，希望能給大家一點協助，建立良好的安全意識，瞭解必要的防範措施。 文中加入本人的理解和注釋的地方已經註明，首次翻譯，不當之處歡迎指出。謝謝

　　,原書共21個建議，這是翻譯的上部。

　　PHP Security Tip #1

　　Cal Evans (editor) 2 comments Thursday, March 1, 2007

　　Looking for the security silver bullet? I’ve got bad news for you, there isn’t one. Security take an ongoing effort and a lot of little things instead of one big one. This month we are kicking off a new feature on DevZone, “Security Tip of the Week”. To kick this off right we will post one a day during March. Some of these tips will be specific things you can do, some will be general concepts you need to be aware of, all of them will be brief. So without further comment, here’s the first “Security Tip of the Week”.

　　Comment

　　MAILING LIST

　　1:17PM UTC · Rob [unregistered]

　　It can often be a good idea to join the relevant mailing list. You can find the announcement list for new releases of PHP below.

　　http://www.php.net/mailing-lists.php

　　------------------------------------------------------------------------------

　　PHP安全小建議1

　　如果你在尋找安全方面的銀彈(在西方基督教的傳說中，只有銀彈擊中心臟，才可以殺死惡魔(吸血鬼? 狼人)。在Fred Brooks關於軟體工程的著名書籍《人月神話裡》和《沒有銀彈》中，把規模越來越大的軟體開發項目比作無法控制的怪物，即希望有一樣技術，能夠像銀彈徹底殺死惡魔那樣，徹底解決這個問題。譯者注)，我有一個壞訊息要告訴你，沒有銀彈。安全問題需要持續不斷的努力和大量瑣碎的工作而不是作為單一的大問題來解決，這個月我們將在DevZone開始一個新的專題，"一周安全小建議", 作為開始，在三月期間，我們將每天發布一個建議。有些建議將是一些你可以動手做的具體的事情，另一些則是你需要注意的一般概念，所有的建議都很簡短，好了，閑話少說，下面開始我們第一個"一周安全小建議"。

　　評論：

　　郵件清單

　　參與相關的郵件清單是一個好主意，你可以在下列地址找到最新的PHP發布新聞的公告列表!

　　http://www.php.net/mailing-lists.php

　　------------------------------------------------------------------------------

　　PHP Security Tip #2

　　Cal Evans (editor) 3 comments Friday, March 2, 2007

　　Security by obscurity is no security at all. On the other hand you don't want to give away information about your site either. Today's tip is a simple one but one that is often overlooked in production environments.

　　Make sure you do not display errors and potentially leak information about your site.

　　Simply setting display_errors = Off in your php.ini of your production server will prevent you from leaking information that may give intruders hints to the structure of your system. By default, display_errors = On.

　　You can find more information and error reporting options in the manual's Error Handling and Logging Functions Introduction section.

　　------------------------------------------------------------------------------

　　PHP安全建議#2

　　使用隱藏資訊來保證安全不能從根本上起到安全作用(Security by obscurity is no security at all.)，但另一方面你也不想泄露你的網站資訊。

　　今天的建議很簡單，但在生產環境下卻經常被忽視。

　　務必不要顯示錯誤資訊和網站的潛在泄密資訊

　　只要簡單地在生產伺服器的php.ini 設定display_errors = Off ，就可以防止泄露系統結構資訊，讓入侵者有機可乘。預設的設定是：display_errors = On.

　　在手冊的錯誤處理和日誌函數介紹一節，你可以找到更多資訊和錯誤報表選項。

　　------------------------------------------------------------------------------

　　PHP Security Tip #3

　　Cal Evans (editor) 1 comment Monday, March 5, 2007

　　Being Security conscious is a good thing but that alone won’t solve the problem. Developers have to be vigilant when it comes to security. Even then you can’t do it alone. Today’s Security tip reminds you of this.

　　Since your application may be harboring security vulnerabilities that you have not been exposed to, third-party security software or services should be considered to help bring a fresh perspective and find overlooked weaknesses.

　　As a developer you should have tools in your toolbox that will help you find security vulnerabilities in your applications. Tools like Chorizo will help you by performing automated scans of your code. Programs like PHPSecInfo will help you ensure that your environment is configured properly.

　　Using tools like these and other scanning tools should not be the only thing you do to ensure security. They are however, an important part of the mix. Let trusted projects and vendors help you build and maintain secure applications.

　　------------------------------------------------------------------------------

　　PHP安全建議#3

　　有安全意識是一件好事，但其本身不能解決問題，在安全問題上時開發人員必須時刻保持警惕，儘管那樣還是不足夠的，今天的安全建議給你提 個醒：

　　由於你的應用程式可能存在很多你未曾發現的安全隱患，使用第三方安全軟體或服務可以協助你對應用程式做一個清晰的透視，發現被忽視的不足之處。

　　作為開發人員，你的工具箱應該有能協助檢測應用程式安全隱患方面的工具。像Chorizo那樣的工具, 它能自動掃描你的代碼來發現問題，而像PHPSecInfo這樣的程式可以確保環境的正確配置。

　　為了安全的保證，僅僅是使用這些工具或者其他掃描工具還是不夠的，然而它們是各種組合措施裡很重要的一部分。值得依賴的項目和供應商將有助你建立和維護安全的應用程式。

　　------------------------------------------------------------------------------

　　PHP Security Tip #4

　　Cal Evans (editor) 7 comments Tuesday, March 6, 2007

　　“Security through obscurity is no security at all.” so the adage goes. However, the flip side of that coin is, obscurity, when used as part of an overall strategy, is a good thing. There’s no sense in making things any easier for those with malicious intent. That brings us to our security tip for the day.

　　Give files and folders with critical information non-default names.

　　Don’t rely on obscure names to keep your application safe. You should always check permissions, test for vulnerabilities with testing tools and keep an eye on your log files for suspicious activity. When designing your applications and web sites though, don’t make it easy for bad people to do bad things. Don’t use default or common names for your files and directories.

　　Do you have a security tip you would like to share? A nugget of security truth you have gleaned through research or life’s school of hard knocks? Log-in and click the contribute button in the upper right hand corner.

　　------------------------------------------------------------------------------

　　PHP安全建議#4

　　正如諺語所說," 使用隱藏資訊來保證安全不能從根本上起到安全作用(Security through obscurity is no security at all.)"，然而在另一方面，隱藏資訊，作為安全整體戰略的一部分卻是一件好事，為那些懷有不軌之心的傢伙把事情變得簡單毫無意義，從這裡引申出我們今天的安全小建議。

　　不要企圖依賴晦澀的命名來保持應用程式的安全，你應該經常檢查許可權，使用測試載入器檢查隱患，留心可疑活動的記錄檔。儘管如此，在設計應用和網站時，也不要為有不軌之心的人做壞事提供簡便的機會。檔案或目錄不要使用預設的或者通用的命名。

　　你是不是也有想要分享的安全小建議呢? 通過研究得到的黃金信條，還是現實生活裡碰釘子後的經驗教訓? 歡迎登入後點擊右上方的貢獻按鈕和我們分享。

　　------------------------------------------------------------------------------

　　PHP Security Tip #5

　　Cal Evans (editor) 1 comment Wednesday, March 7, 2007

　　PHP security is an ongoing mission requiring the programmer to think outside of the parameters of the application. It’s not enough these days to say in your mind “Does this do what I want it to do?” you also have to take into consideration “What else can people use it for and do I want to allow that?” Today’s Security tip is a proverb that all programmers should have to recite daily.

　　Never trust the user.

　　It’s a sad fact of life but users are evil. Users want nothing more than to find a way to exploit your application. As soon as you let your guard down and start thinking “I’m only selling small stuffed animals so how evil can my users really be?” you’ve lost the battle.

　　Ok, maybe it’s not quite that dire but you do have to keep a wary eye on some of your users. That’s where the second proverb that all programmers should recite daily comes in.

　　Filter Input, Escape Output

　　Yes, FIEO (ok, it’s not as cool sounding as GIGO) is one of the mantras that all security minded programmers have live by.

　　------------------------------------------------------------------------------

　　PHP安全建議#5

　　PHP安全是一個持續的任務，它要求程式員思考應用程式參數外面的情況，現在，光是想著“它(應用程式)做了我想讓它做的事嗎?”你必須同時考慮到"人們還能用它來幹什麼和我允許他們這樣做嗎?"今天的安全建議是一個所有程式員必須每天背誦的格言：

　　永遠不要相信使用者。(Never trust the user)

　　使用者是邪惡的，儘管就現實生活來說是很悲哀的事情，他們千方百計就為了破解你的應用程式，只要你掉以輕心然後這樣想著：“我不過是兜售一點餵飽了的小動物而已(開發應用程式的一個比喻，譯者注)，我的使用者真的能這麼邪惡?”，那麼你已經輸掉了這聲戰鬥。

　　好吧，也許事情還沒這麼恐怖的地步，但你仍然需要對一部分使用者保持警惕之心。第二個所有程式員必須每天背誦的格言出現了

　　過濾輸入，編碼輸出(Filter Input, Escape Output)

　　是的，FIFO(好吧，它的發音不像GIGO那麼酷) ，它卻是所有具有安全意識的程式員賴以生存的魔咒之一。

　　------------------------------------------------------------------------------

　　PHP Security Tip #6

　　Cal Evans (editor) 5 comments Thursday, March 8, 2007

　　The topic of writing secure applications in PHP covers more than just writing good PHP code. Most applications make use of a database of some kind. Many times, vulnerabilities that affect the entire application, are introduced when building the SQL code. Today's Tip of the Day deals with one easy solution developers can implement.

　　When dealing with numbers in a SQL query, always cast.

　　Even if you are filtering your input, a good and easy to implement safety measure is to cast all numeric values in the SQL statement. Take for example the following code.

　　$myId = filter_var($_GET['id'],FILTER_VALIDATE_INT);

　　$sql = 'SELECT * FROM table WHERE id = '.$myId;

　　Even though you are applying the native PHP filters built into PHP 5.2, there is something additional you can do. Try this instead.

　　$myId = filter_var($_GET['id'],FILTER_VALIDATE_INT );

　　$sql = 'SELECT * FROM table WHERE id = '.(int)$myId;

　　This final cast of the variable to an int removes any doubt about what will be passed to MySQL. The example above is purposefully simplified. In real-life situations, the code would be more complex and the chance for error much greater. By applying the final cast to in building the select statement, you are adding one more level of safety into your application.

　　------------------------------------------------------------------------------

　　PHP安全建議#6

　　編寫安全的PHP應用程式的話題遠不止編寫良好的PHP代碼，大部分的應用都會這樣或那樣地用到資料庫，很多時候，在建立SQL代碼的過程中，影響整個應用的安全隱患也鑽了進來。

　　在SQL查詢中處理數字時，務必進行投射(cast)

　　即使在過濾輸入，一個簡單而好用的安全措施是在SQL語句中投射所有的數字類型值。如下列代碼所示

　　$myId = filter_var($_GET['id'],FILTER_VALIDATE_INT);

　　$sql = 'SELECT * FROM table WHERE id = '.$myId;

　　即便你使用PHP5.2內建的原生PHP過濾器(請參考最新PHP手冊【某些舊的中文版本的PHP手冊沒有這個章節】Data Filtering一節，譯者注)，你還可以做一些其他的事情。試試換成下面的語句：

　　$myId = filter_var($_GET['id'],FILTER_VALIDATE_INT );

　　$sql = 'SELECT * FROM table WHERE id = '.(int)$myId;

　　最終模型(final cast)裡變數被投射成了整型(int) ，移除了全部到底向Mysql傳遞了什麼的疑惑，以上例子有意地進行了簡化，在現實情況下，代碼會更複雜，出錯的機會也會更多，依賴最終模型來建立select語句，你的代碼多了一級安全保護。