php.ini安全設(shè)置 register_global = off magic_quotes_gpc = off display_error = off log_error = on # allow_url_fopen = off expose_php = off open_basedir = safe_mode = on disable_function = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source,get_cfg_var safe_mode_include_dir =
DB SQL預(yù)處理 mysql_real_escape_string (很多PHPer仍在依靠addslashes防止SQL注入,但是這種方式對(duì)中文編碼仍然是有問題的。addslashes的問題在于黑客可以用0xbf27來代替單引號(hào),GBK編碼中0xbf27不是一個(gè)合法字符,因此addslashes只是將0xbf5c27,成為一個(gè)有效的多字節(jié)字符,其中的0xbf5c仍會(huì)被看作是單引號(hào),具體見這篇文章)。用mysql_real_escape_string函數(shù)也需要指定正確的字符集,否則依然可能有問題。 prepare + execute(PDO) ZendFramework可以用DB類的quote或者quoteInto, 這兩個(gè)方法是根據(jù)各種數(shù)據(jù)庫實(shí)施不用方法的,不會(huì)像mysql_real_escape_string只能用于mysql
必須保留HTML標(biāo)簽情況下可以考慮以下工具: HTML Purifier: HTML Purifier is a standards-compliant HTML filter library written in PHP. PHP HTML Sanitizer: Remove unsafe tags and attributes from HTML code htmLawed: PHP code to purify & filter HTML
