Secure PHP Development- P4

Chia sẻ: Cong Thanh | Ngày: | Loại File: PDF | Số trang:5

Thêm vào BST

Báo xấu

82
lượt xem 6
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

Secure PHP Development- P4: Welcome to Secure PHP Development: Building 50 Practical Applications. PHP has come a long way since its first incarnation as a Perl script. Now PHP is a powerful Web scripting language with object-oriented programming support. Slowly but steadily it has entered the non-Web scripting arena often reserved for Perl and other shell scripting languages. Arguably, PHP is one of the most popular Web platforms.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Secure PHP Development- P4

Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Part I Designing PHP Applications Chapter 1 Features of Practical PHP Applications . . . . . . . . . . . . . 3 Features of a Practical PHP Application . . . . . . . . . . . . . . . . 3 Employing the Features in Applications . . . . . . . . . . . . . . . . 5 Creating object-oriented design . . . . . . . . . . . . . . . . . . . . . . . . 5 Using external HTML templates . . . . . . . . . . . . . . . . . . . . . . . . 5 Using external configuration files . . . . . . . . . . . . . . . . . . . . . . 11 Using customizable messages . . . . . . . . . . . . . . . . . . . . . . . . . 14 Using relational database . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Using portable directory structure . . . . . . . . . . . . . . . . . . . . . . 22 Using access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Chapter 2 Understanding and Avoiding Security Risks . . . . . . . 25 Identifying the Sources of Risk . . . . . . . . . . . . . . . . . . . . . . 25 Minimizing User-Input Risks . . . . . . . . . . . . . . . . . . . . . . . . 26 Running external programs with user input . . . . . . . . . . . . . . . 26 Getting user input in a safe way . . . . . . . . . . . . . . . . . . . . . . . 30 Using validation code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Not Revealing Sensitive Information . . . . . . . . . . . . . . . . . . 38 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Chapter 3 PHP Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Best Practices for Naming Variables and Functions . . . . . . . 41 Best Practices for Function/Method . . . . . . . . . . . . . . . . . . . 43 Returning arrays with care . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Simplifying the function or method argument list order issue . . . 45 Best Practices for Database . . . . . . . . . . . . . . . . . . . . . . . . . 47 Writing good SELECT statements . . . . . . . . . . . . . . . . . . . . . . 47 Dealing with missing data . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Handling SQL action statements . . . . . . . . . . . . . . . . . . . . . . . 49 Best Practices for User Interface . . . . . . . . . . . . . . . . . . . . . 54 Avoiding HTML in application code . . . . . . . . . . . . . . . . . . . . 54 Generating HTML combo lists in application code . . . . . . . . . . . 55 Reducing template code . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Best Practices for Documentation . . . . . . . . . . . . . . . . . . . . 59 xv
xvi Contents Best Practices for Web Security . . . . . . . . . . . . . . . . . . . . . . 60 Keep authentication information away from prying eyes . . . . . . 60 See your errors before someone else does . . . . . . . . . . . . . . . . . 61 Restrict access to sensitive applications . . . . . . . . . . . . . . . . . . 61 Best Practices for Source Configuration Management . . . . . 61 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Part II Developing Intranet Solutions Chapter 4 Architecture of an Intranet Application . . . . . . . . . . . 65 Understanding Intranet Requirements . . . . . . . . . . . . . . . . . 65 Building an Intranet Application Framework . . . . . . . . . . . 67 Using an HTML template-based presentation layer . . . . . . . . . . 68 Using PHP Application Framework components . . . . . . . . . . . . 68 Business logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Relational database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Creating a Database Abstraction Class . . . . . . . . . . . . . . . . . 71 Creating an Error Handler Class . . . . . . . . . . . . . . . . . . . . . . 81 Creating a Built-In Debugger Class . . . . . . . . . . . . . . . . . . . 85 Creating an Abstract Application Class . . . . . . . . . . . . . . . . 91 Creating a Sample Application . . . . . . . . . . . . . . . . . . . . . . 113 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Chapter 5 Central Authentication System . . . . . . . . . . . . . . . . . . 121 How the System Works . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Creating an Authentication Class . . . . . . . . . . . . . . . . . . . . 124 Creating the Central Login Application . . . . . . . . . . . . . . . 127 Creating the Central Logout Application . . . . . . . . . . . . . . 138 Creating the Central Authentication Database . . . . . . . . . . 146 Testing Central Login and Logout . . . . . . . . . . . . . . . . . . . 148 Making Persistent Logins in Web Server Farms . . . . . . . . . 149 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Chapter 6 Central User Management System . . . . . . . . . . . . . . . 157 Identifying the Functionality Requirements . . . . . . . . . . . . 157 Creating a User Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 User Interface Templates . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Creating a User Administration Application . . . . . . . . . . . 168 Configuring user administration applications . . . . . . . . . . . . . 181 Configuring user administration application messages . . . . . . . 186 Configuring user administration application error messages . . . 186 Testing the user management application . . . . . . . . . . . . . . . . 187 Creating a User Password Application . . . . . . . . . . . . . . . . 190 Creating a Forgotten-Password Recovery Application . . . . 194 Designing the forgotten-password recovery application . . . . . . 195 Implementing the forgotten-password recovery application . . . 197 Testing the forgotten-password recovery application . . . . . . . . 201 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Contents xvii Chapter 7 Intranet System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Identifying Functionality Requirements . . . . . . . . . . . . . . . 203 Designing the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Designing and Implementing the Intranet Classes . . . . . . . 207 Message class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 ActivityAnalyzer class . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Creating the IntranetUser class . . . . . . . . . . . . . . . . . . . . 217 Setting Up Application Configuration Files . . . . . . . . . . . . 219 Setting Up the Application Templates . . . . . . . . . . . . . . . . 222 Intranet Home Application . . . . . . . . . . . . . . . . . . . . . . . . 223 MOTD manager application . . . . . . . . . . . . . . . . . . . . . . . . . 225 Access reporter application . . . . . . . . . . . . . . . . . . . . . . . . . 230 Admin access reporter application . . . . . . . . . . . . . . . . . . . . 233 Daily logbook manager application . . . . . . . . . . . . . . . . . . . . 236 User tip application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 User preference application . . . . . . . . . . . . . . . . . . . . . . . . . 237 Installing Intranet Applications from the CD-ROM . . . . . . 238 Testing the Intranet Home Application . . . . . . . . . . . . . . . 240 Changing user preferences . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Checking user access logs . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Writing a message to other users . . . . . . . . . . . . . . . . . . . . . 244 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Chapter 8 Intranet Simple Document Publisher . . . . . . . . . . . . . 247 Identifying the Functionality Requirements . . . . . . . . . . . . 247 The Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Designing the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 The Intranet Document Application Classes . . . . . . . . . . . . 250 The Category class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 The Doc class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 The Response class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Setting Up Application Configuration Files . . . . . . . . . . . . 261 The main configuration file . . . . . . . . . . . . . . . . . . . . . . . . . 261 The messages file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 The errors file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Setting Up the Application Templates . . . . . . . . . . . . . . . . 267 The Document Publisher Application . . . . . . . . . . . . . . . . . 268 The document index display application . . . . . . . . . . . . . . . . 278 The document details application . . . . . . . . . . . . . . . . . . . . . 280 The document response application . . . . . . . . . . . . . . . . . . . . 281 The document view list application . . . . . . . . . . . . . . . . . . . . 282 Installing Intranet Document Application . . . . . . . . . . . . . 283 Testing Intranet Document Application . . . . . . . . . . . . . . . 285 Creating a new category . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Adding a new document . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
xviii Contents Chapter 9 Intranet Contact Manager . . . . . . . . . . . . . . . . . . . . . . 293 Functionality Requirements . . . . . . . . . . . . . . . . . . . . . . . . 293 Understanding Prerequisites . . . . . . . . . . . . . . . . . . . . . . . 294 The Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 The Intranet Contact Manager Application Classes . . . . . . 297 The Category class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 The Contact class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 The Application Configuration Files . . . . . . . . . . . . . . . . . 308 The main configuration file . . . . . . . . . . . . . . . . . . . . . . . . . 308 The messages file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 The errors file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 The Application Templates . . . . . . . . . . . . . . . . . . . . . . . . . 312 The Contact Category Manager Application . . . . . . . . . . . . 313 The Contact Manager Application . . . . . . . . . . . . . . . . . . . 317 Installing Intranet Contract Manager . . . . . . . . . . . . . . . . . 323 Testing Contract Manager . . . . . . . . . . . . . . . . . . . . . . . . . 325 Adding categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Adding a contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Searching for a contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 Sending e-mail to a contact . . . . . . . . . . . . . . . . . . . . . . . . . 330 Searching for contacts in a subcategory . . . . . . . . . . . . . . . . . 330 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Chapter 10 Intranet Calendar Manager . . . . . . . . . . . . . . . . . . . . . 335 Identifying Functionality Requirements . . . . . . . . . . . . . . . 335 Understanding Prerequisites . . . . . . . . . . . . . . . . . . . . . . . 336 Designing the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 The Intranet Calendar Application Event Class . . . . . . . . . 337 The Application Configuration Files . . . . . . . . . . . . . . . . . 343 The main configuration file . . . . . . . . . . . . . . . . . . . . . . . . . 344 The messages file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 The errors file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 The Application Templates . . . . . . . . . . . . . . . . . . . . . . . . . 348 The Calendar Manager Application . . . . . . . . . . . . . . . . . . 348 The Calendar Event Manager Application . . . . . . . . . . . . . 350 Installing the Event Calendar on Your Intranet . . . . . . . . . 353 Testing the Event Calendar . . . . . . . . . . . . . . . . . . . . . . . . 354 Adding a new event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Modifying an existing event . . . . . . . . . . . . . . . . . . . . . . . . 356 Viewing an event reminder . . . . . . . . . . . . . . . . . . . . . . . . . 356 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Chapter 11 Internet Resource Manager . . . . . . . . . . . . . . . . . . . . . 359 Functionality Requirements . . . . . . . . . . . . . . . . . . . . . . . . 359 Understanding the Prerequisites . . . . . . . . . . . . . . . . . . . . 360 Designing the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 CATEGORY table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 RESOURCE table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360