January 2021
Intermediate to advanced
505 pages
9h 45m
Chinese
Content preview from PHP编程:第4版
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
安全漏洞
|
323
的防护也很简单、直接和一致。当权限等级改变时,比如用户登录时,用
session_
regenerate_id()
重新生成会话标识符 :
if (check_auth($_POST['username'], $_POST['password'])) {
$_SESSION['auth'] = TRUE;
session_regenerate_id(TRUE);
}
任何用户登录(或其他任何提升权限的操作)都指派新的随机标识符可以有效阻止会话
固定攻击。
文件上传陷阱
文件上传有两个我们讨论过的危险
:用户可修改的数据和文件系统。
PHP 7
自身处理上
传文件是安全的,但对于粗心的程序员也有一些潜在的危险。
不要相信浏览器提供的文件名
要小心使用浏览器发送的文件名,尽量不要用它作为文件系统中的文件名。很简单就可
以让浏览器发送一个标识为
/etc/passwd
或
/home/ramus/.forward
的文件。你可以在所有
用户交互中用浏览器提供的名字,但是要自己生成唯一的名字用来实际调用文件。例如:
$browserName = $_FILES['image']['name'];
$tempName = $_FILES['image']['tmp_name'];
echo "Thanks for sending me {$browserName}.";
$counter++; //
永久变量
$filename = "image_{$counter}";
if (is_uploaded_file($tempName)) ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.