最近在写 CakePHP 网站的时候,发现一个 Cake 开发人员经常犯的错误,这个错误实际上会成为网站安全漏洞,使得网站很容易被攻击。
先来看如下代码,这是一个用户注册的 action,通常的写法是:
<?php
class UsersController extends AppController {
//....
function register()
{
if (!empty($this->data)) {
$this->User->create();
if ($this->User->save()) {
$this->redirect(array('action'=>'index'), null, true);
} else {
$this->Session->setFlash(__('Failed to register. Please, try again.'));
}
}
}
//....
}
?>
看起来这个代码片断很简单,很寻常,所以也很流行。但这个流行却让很多开发人员忽略了安全性问题。实际上我们并没有对表单提交过来的数据进行过滤,也就是说你可以通过客户端,给 $this->data 加入各种字段,只要这些字段名和数据表中的能够对上,都会被保存进数据库中。最致命的字段是什么?我们都知道,Cake 的表设计通常都有一个 'id' 字段,这也是为了方便快速编程而设计的默认表关键字。这个 id 就是最致命的字段。测试的方式很简单,通常我们可以通过 url 或者其它方式知道某个用户的 id,那么在注册的时候,使用 Firebug 编辑 HTML 表单,加入一个输入 id 的文本框:
<input type="text" name="data[User][id]" />
然后你就可以在表单中填入一个已存在的用户 id,如果你不知道任何用户的 id,那么可以试一下 1,通常前几个用户都是网站的相关人员的帐号,也极有可能拥有比普通用户更多的权限。其它注册项仍然照常填写,完成之后提交。接下来会发生什么呢?register() 方法把你的信息写入数据库了,但并不是创建一个新的用户,而是覆盖了你所填写的用户 id 所对应的那个用户,实际上你已经可以修改到那个用户的密码了。
想要修复这个问题,必须对 $this->data 进行过滤,至少要 unset($this->data['User']['id']); ,最保险的是把你真正需要的数据保存在一个数组里边,然后传给 $this->User->save(),如:
<?php
//....
if (!empty($this->data)) {
$this->User->create();
$data = array(
'username' => $this->data['User']['username'],
'password' => $this->data['User']['password'],
//....
);
if ($this->User->save($data)) {
$this->redirect(array('action'=>'index'), null, true);
} else {
$this->Session->setFlash(__('Failed to register. Please, try again.'));
}
}
//....
?>
安全问题是最为重要的,不管你用什么框架,不管它有多方便,你都要去关注这方面的问题,不要被表面的“快速开发”所麻痹。
人的惰性真是无尽的,phpjobs.cn 被我搁置了相当长的时间,为了督促自己去做这个网站,先把最初简单的工作、需求列一下,不弄太复杂,免得自己一开始就放弃,呵呵。
- 招聘者:CRUD 企业信息,CRUD 招聘(岗位)信息,浏览应聘者简历;
- 求职者:CRUD 简历,发送简历到应聘岗位,评论招聘信息;
- 站内短信(pm)
- 选项设置
Neil Crookes 在 Bakery 中谈到他们用 CakePHP 做的一个网站-Island Cruises,有 106 个表,总共需要大约 50 个 models、controllers 及 CRUD views,于是修改了 bake.php 以满足他们的特殊需求,而生成这些文件仅用了半天左右的时间。文中还提到了很多不错的经验。目前在国外,已经有很多项目在使用 CakePHP 了,应用非常广泛,我所参与过的就不下 5 个。虽然 Cake 目前还有一些不足的地方,但其正在不断完善中,相信有一天,国内也会有很多网站开始采用这个框架进行快速开发。
Further endeavours into baking Cake(PHP)
For now I have got some tips for beginning Cake developers (like myself).
1. Use scaffolding and only scaffolding when you are designing your database structure. At the start of a project, first build all the necessary models, controllers and db tables. Link them using Cake's $hasMany/$belongsTo/$hasOne/etc. functions and check to see if all relations work properly (i.e. when viewing one thing, you get 'related [other things]'. Scaffolding will really help you out here, as you can instantly check everything (no need to rewrite any HTML, etc).
2. At the start of an application get your internal structure right. Like mentioned in #1, use scaffolding to get your database/model relation structure right. In the early stages it's a) easier and b) less time consuming to set everything right for final implementation. Consider Cake's MVC approach: you need to seperate data, business logic and presentation. First get your data and data structure right, then add business rules and logic and only at the end worry about presentation. The method is not the same as the MVC approach (which is only about code seperation). This is an engineering approach that takes on different parts of the project one-by-one, in a logical order.
3. Learn by experience. This by the way goes for any programming language learning and is generally the way I advice people to learn programming. The point is that programming isn't something you know, it's something you feel. It's a creative process! Building a program can be done in many different ways and quite often there isn't even a best way. You need consider your alternatives, choose and finally go with that choice. You will always encounter new problems as a developer and so you will always need to come up with creative solutions for those problems. The best way to learn to do this is by gathering experience. Create a small but challenging project for you to take on, take it on and come up with solutions for the problems you encounter. Search the web, talk to other developers on forums, but get your problems solved. CakePHP, due to it's extremely intuitive conventions, is perfect for this learning method. Finding the answer you are looking for in Cake is easy as for some reason you just know where to look.
我们现在急切需要 PHP 开发人员,如果你正在寻找工作,谋求发展机会,那请不要犹疑,加入我们吧。
中级程序员
CakePHP、MySQL、Apache、AJAX、SVN/CVS、JavaScript、CSS、HTML
初级程序员
Joomla、MySQL、JavaScript、CSS、HTML
此外,需要有一点英文基础,公司会提供英语培训。
公司介绍请看:http://www.dianjingkeji.com
有意向的同学可以将 中英文 简历发到 hr#dianjingkeji.com(请将 # 号换成 @)。
