2007-03-16 22:27 
老徐 由 徐永久 发表于 2007年03月16日 20:22。
看完这个网站 http://www.cluesheet.com/ 的首页,觉得确实对我们的 PHP 开发人员很有裨益。因为有些术语的缘故不能全部翻译成英文。
安全方面:
* 不要为 SQL 语句使用 PDO 参数传值,以防止 SQL injection.
* 务必使用 htmlspecialchars/htmlentities 和/或者 strip_tags 转义 html 和JavaScript 来防止 XSS(交叉站点脚本) 攻击.
* 务必使用 sessions 和安全套接字来防止 session 被劫持,采用 md5 校验和来验证 session ids. 在 session 里存储一个特殊的令牌 md5(uniqueid(rand(),time)) 放到一个隐含的表单提交项里:eg. $_SESSION["token"]===$FORM["token"].
* 务必使用 escapeshellarg/escapeshellcmd 调用外部命令防止命令行注入
* 务必从进入的http头删除分行符以防止http头提早终止 Do remove linebreaks from incoming headers to prevent early header termination and injection. Fixed >PHP5.1
* 采用 md5 校验和来序列化参数值和 sessionid来验证一致性
* 使用 === 来验证输入值以保证类型一致
* 设置以下参数来提高安全性:
o ini_set(“display_errors”,false);
o ini_set(“log_errors”,true);
o ini_set(“error_log”,”path/to/php.log”);
o ini_set(“session.save_path”,”path/above/www”); or “mm” session module or store in a sqllite db
o php.ini expose_php=off
o php.ini register_globals=off
o Apache servertokens=prod
* 在任何用户特权提升的应用中,采用 session_regenerate
* 在商务交易中采用安全套接字
性能方面
* Do use single quotes over double quotes.
* Do use switch over lots of if statements
* Do avoid testing loop conditionals with function tests every iteration eg. for($i=0;i<=count($x);$i++){...
* Do use foreach for looping collections/arrays.
o PHP4 items are byval
o >PHP5 items are byref
* Do consider using the Singleton Method when creating complex PHP classes.
* Do use POST over GET for all values that will wind up in the database for TCP/IP packet performance reasons.
* Do use ctype_alnum,ctype_alpha and ctype_digit over regular expression to test form value types for performance reasons.
* Do use full file paths in production environment over basename/fileexists/open_basedir to avoid performance hits for the filesystem having to hunt through the file path. Once determined, serialize and/or cache path values in a $_SETTINGS array. $_SETTINGS["cwd"]=cwd(./);
* Do use require/include over require_once/include_once to ensure proper opcode caching.
* Do use tmpfile or tempnam for creating temp files/filenames
* Do use a proxy to access web services (XML or JSOM) on foreign domains using XMLHTTP to avoid cross-domain errors. eg. foo.com<-->XMLHTTP<-->bar.com
* Do use error_reporting (E_ALL); during debug.
* Do set Apache allowoverride to “none” to improve Apache performance in accessing files/directories.
* Do use a fast fileserver for serving static content (thttpd). static.mydomain.com, dynamic.mydomain.com
* Do serialize application settings like paths into an associative array and cache or serialize that array after first execution.
* Do use PHP output control buffering for page caching of heavilty accessed pages
* Do use PDO prepare over native db prepare for statements. mysql_attr_direct_query=>1
* Do NOT use SQL wildcard select. eg. SELECT *
* Do use database logic (queries, joins, views, procedures) over loopy PHP.
* Do use shortcut syntax for SQL insers if not using PDO parameters parameters. eg. INSERT INTO MYTABLE (FIELD1,FIELD2) VALUES ((“x”,”y”),(“p”,”q”));
工具方面
* microtime() – Return current Unix timestamp with microseconds to mark performance.
* ab Apache Bench server benchmarking tool.(-n 1000, -c 500)
* Zend Performance Suite
* Callgrind/KCachegrind profiling tool.
* http_load multiprocessing http test client.
* xdebug helps you debugging your script by providing a lot of valuable debug information.
* PHP Security Scanner
* PECL APC opcode caching module.
o pecl install APC
o php.ini APC.STAT=0
o APC_STORE($_SETTINGS)
新技术/技巧
* Service Data Objects -SDOs enable PHP applications to work with data from different sources (like a database query, an XML file, and a spreadsheet) using a single interface.
* JavaScript Object Notation – JSON is a lightweight computer data interchange format you can use instead of XML in AJAX apps.
* PHP5.1.3 to be released within the week.
* PHP6 will implement numerous changes.
* DB2 Viper implements extensive XML support.
其他有用的人物/博客
* Chris ShiflettPHP Security Consortium and PHP security guru
* John Coggeshall
* Ilia Alshanetsky: PDO Lecture, Security Lecture
* Marcus Boerger
* Derick Rethans: eZ Components – RAD for PHP
* Rasmus Lerdorf
* Christian Wenz: The Return of Javascript: AJAX , New (and old) Trends in Web Hacking, The ABCs of Web Services
* Andrei Zmievski: PHP 6 and Unicode
* Paul Reinheimer: Simple Web Services: REST
* Sara Golemon: Embedding and Extending PHP
* Davey Shafik: Future Deployment of PHP Applications, Migrating to PHP 5.1
* Marcus Baker: Is Agile Right for You? , The OO Sound Barrier: Leveraging OOP
* Lukas Smith: Beyond SQL
* Johannes Schlueter:
* Grant Hutchison: XML to the Max – DB2 Viper with PHP
* Caroline Maynard: PHP Service Data Objects
* Andi Gutmans
* Jason Sweat
* Joe Stagner
* Hartmut Holzgraefe
* Tony Cairns: i5/OS Zend Core Roadmap
* Marco Tabini
发表于 
标签: 
