PHP的七大安全错误（二）(2)

Further Reading

The following sites are recommended reading to maintain your security knowledge. New flaws and new forms of exploits are discovered all the time, so you cannot afford to rest on your laurels and assume you have all the bases covered. As I stated in the introduction to this article, "Security is a process", but security education is also a process, and your knowledge must be maintained.

推荐你去下面的站点看一下来获取更多的安全知识。新的漏洞和入侵一直都在被发现，所以对于以往的成功安全措施没有任何值得骄傲的地方，一定要有未雨绸缪的心态。正如我在文章开始所说，“安全措施是一个过程”，同样学习安全知识也是一个过程，你必须要牢牢掌握这些知识。

OWASP, The Open Web Application Security Project, is a non-profit oganisation dedicated to "finding and fighting the causes of insecure software". The resources it provides are invaluable and the group has many local chapters that hold regular meetings with seminars and roundtable discussions. Highly recommended.

OWASP, The Open Web Application Security Project，一个致力于软件不安全因素收集和研究的非盈利性组织。他们所提供的资源是无法估量的，并且他们定期举行研讨会和一些非正式的讨论。强烈推荐。

CGISecurity.Net is another good site dealing with Web application security. They have some interesting FAQs and more in-depth documentation on some of the types of flaws I've discussed in this article.

CGISecurity.Net是另一个关注web应用安全的站点。他们有一些很有趣的常见问题集锦，对我在上文提到得一些安全问题也有更深的讨论。

The security section of the PHP Manual is a key resource that I mentioned above, but I include it here again, since it's full of great information that's directly applicable to PHP. Don't gloss over the comments at the bottom of each page: some of the best and most up-to-date information can be found in the user-contributed notes.

The security section of the PHP Manual有很多与PHP直接相关的非常有用的信息，我在上文已经提到过，但还要在这里强调一次。不要忽视每一页下面的用户评论，一些相当不错的最新信息都会在这里找到。

The PHP Security Consortium offers a library with links to other helpful resources, PHP-specific summaries of the SecurityFocus newsletters, the PHP Security Guide, and a couple of articles.

The PHP Security Consortium提供一个连接到其他资源的库，针对PHP的安全新闻通讯，PHP安全向导和一些文章。

The BugTraq mailing list is a great source of security related advisories that you should read if you're interested in security in general. You may be shocked by the number of advisories that involve popular PHP applications allowing SQL insertion, Cross Site Scripting and some of the other flaws I've discussed here.

The BugTraq mailing list是一个很大的安全资讯站点，如果你对安全方面感兴趣，一定要看一下。这里有很多关于PHP的SQL注入，跨站脚本攻击的安全建议，并且数量惊人。

Linux Security is another good site that is not necessarily restricted to PHP but, since you are likely running a Linux Webserver to host your PHP applications, it's useful to try to stay up to date on the latest advisories and news related to your chosen Linux distribution. Don't assume your hosting company is on top of these developments; be aware on your own -- your security is only as good as your weakest point. It does you no good to have a tightly secured PHP application running on a server with an outdated service that exposes a well-known and exploitable flaw.

Linux Security是一个不错的站点，虽然并非只针对PHP，但是如果你在一台Linux服务器上运行PHP，在这里多读一些关于你所用Linux版本的安全资讯还是很有用的。不要以为你的空间服务商总是把安全措施做的很好，你自己就要注意——像对待你的缺点一样改正它们。在一个存有常见安全漏洞并且没有及时更新的服务器上运行对安全要求很高的PHP脚本，是没有一点好处的。

Conclusions

总结

As I've shown in this article, there are many things to be aware of when programming secure PHP applications, though this is true with any language, and any server platform. PHP is no less secure than many other common development languages. The most important thing is to develop a proper security mindset and to know your tools well. I hope you enjoyed this article and learned something as well! Remember: just because you're paranoid doesn't mean there's no one out to get you.

正如本文所述，像其他语言和平台一样，PHP编程需要注意很多安全方面的问题。PHP和其他许多编程语言一样，本身是十分安全的。最重要的就是有一个正确的安全理念，并且对PHP要相当熟悉。我希望你能喜欢这篇文章并且能从中获益。记住：对于安全问题，不要存在任何侥幸心理！