January 2021
Intermediate to advanced
505 pages
9h 45m
Chinese
Content preview from PHP编程:第4版
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
安全漏洞
|
321
绑定参数 :
$sql = $db->prepare("SELECT count(*) FROM users
WHERE username = :username AND password = :hash");
$sql->bindParam(":username", $clean['username'], PDO::PARAM_STRING, 32);
$sql->bindParam(":hash", hash($_POST['password']), PDO::PARAM_STRING, 32);
由于绑定参数可以确保在上下文中被认为非正常的数据不会进入(即不会被错误解释),
因此不必转义用户名和密码。
文件名漏洞
很容易构造出一个出乎意料的文件名指向其他内容。例如,你有一个变量
$username
包含用户想叫的名字,用户通过表单指定它。现在你要为每个用户在
/usr/local/lib/
greetings
中存储一个欢迎信息以让用户何时登入你的程序时都能输出信息。打印当前用
户欢迎信息的代码如下 :
include("/usr/local/lib/greetings/{$username}");
看起来没有恶意,但当用户选择
"../../../../etc/passwd"
作为用户名时呢
?
包含欢迎
信息的代码现在包含了这个相对路径而成为
/etc/passwd
。相对路径是黑客用来欺骗无防
范脚本的常用技巧。
对粗心程序员来说的另一个陷阱是,默认情况下,
PHP
可以用打开本地文件的函数来 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.