Posts tagged security

Exposed Access Credentials 连接信息泄漏 Most PHP applications interact with a database. This usually involves connecting to a database server and using access credentials to authenticate: 绝大多数的 PHP 程序都要和数据库交互。这个交互过程通常都是首先连接到数据数据库，然后通过连接信息认证。 123456<?php $host = 'example.org'; $username = 'myuser'; $password = 'mypass'; $db = mysql_connect($host, $username, $password); ?> This could be an example of a file called db.inc that [...]

Cross-Site Scripting 跨站点脚本 The media has helped make cross-site scripting (XSS) a familiar term, and the attention is deserved. It is one of the most common security vulnerabilities in Web applications, and many popular open source PHP applications suffer from constant XSS vulnerabilities. 媒体使得跨站点脚本（XSS）成为一个常见词汇，对跨站点脚本多加小心是值得的。这是在 Web 应用程序里最常见的安全隐患之一，而且很多流行的开源 PHP 程序里也有一定量的 XSS 隐患。 XSS attacks have the following [...]

Spoofed Form Submissions 表单提交欺骗 In order to appreciate the necessity of data filtering, consider the following form located (hypothetically speaking) at http://example.org/form.html: 为了说明数据过滤得必要性，请看下面的这个位于（假设）http://example.org/form.html 的表单： 1234567<form action="/process.php" method="post"> <select name="color">   <option value="red">red</option>   <option value="green">green</option>   <option value="blue">blue</option> </select> <input type="submit" /> Imagine a potential attacker who saves this HTML and modifies it as follows: [...]

Data Filtering 数据过滤 As stated previously, data filtering is the cornerstone of Web application security, and this is independent of programming language or platform. It involves the mechanism by which you determine the validity of data that is entering and exiting the application, and a good software design can help developers to: 正如前面所说，数据过滤是 Web 程序安全的奠基石，这个规则和 [...]