PHP Security / Overview / Basic Steps

Basic Steps

基本步骤

• Consider illegitimate uses of your application.

  A secure design is only part of the solution. During development, when the code is being written, it is important to consider illegitimate uses of your application. Often, the focus is on making the application work as intended, and while this is necessary to deliver a properly functioning application, it does nothing to help make the application secure.

• 考虑非法用户。

  安全性设计仅仅是整体解决方案的一部分。在开发过程中，特别是书写代码的时候，考虑非法用户是非常重要的。通常情况下，注意力都是在如何让程序按照预期的想法工作，虽然这对交付一个能够正常运行的程序来说是必要的，但是这对让程序变安全是没有任何作用的。

• Educate yourself.

  The fact that you are here is evidence that you care about security, and as trite as it may sound, this is the most important step. There are numerous resources available on the Web and in print, and I mention several of these at the end of this talk.

• 自学。

  你现在在看这本书的事实，说明了你关心安全问题，虽然就和听起来一样老生常谈，这是最重要的步骤。网上有非常多的资源，也有很多出版物，在最后我会提到一些。

• If nothing else, FILTER ALL FOREIGN DATA.

  Data filtering is the cornerstone of Web application security in any language and on any platform. By initializing your variables and filtering all data that comes from a foreign source, you will address a majority of security vulnerabilities with very little effort. A whitelist approach is better than a blacklist approach. This means that you should consider all data invalid unless it can be proven valid (rather than considering all data valid unless it can be proven invalid).

• 如果没有其他可作的，那么就*过滤所有的外来数据*。

  不论什么语言，什么平台，数据过滤都是 Web 程序安全的基础。通过初始化变量和过滤所有外来数据的方式，你就能够用很小的代价定位到一个主要的安全漏洞。白名单方式要好于黑名单方式。也就是说，你应该假设所有的数据都是不合法的，除非能够证明这个数据是合法的（而不是说只要不能证明数据非法就认为是合法的。