我有一个小的AJAX应用程序，用PHP写的，我并没有从一开始就固定。我想就如何现在固定的应用程序，事实施和检查一些建议。我还没有发现对谷歌的任何详尽的指导，并希望一些可推荐。

I have a small AJAX application, written in PHP that I did not secure from the start. I would like some recommendations on how to now secure the app, things to implement and check for. I have not found any exhaustive guides on google, and hope that some can be recommended.

这是一个小的应用程序连接到并从MySQL数据库显示记录。它不使用任何外部库。

It is a small application that connects to and displays records from a mysql database. It is not using any external libraries.

我不知道如何来保护传递变量，如：

I am unsure about how to protect on passing in variables, such as:

if (isset($_GET["cmd"]))
  $cmd = $_GET["cmd"];

我应该只是在退房前使用isset声明$ CMD的东西？

Should I simply declare $cmd to something before check isset?

推荐答案

如果你在谈论安全的应用程序（而不是服务器/环境中它是 - 我是不是真的有资格来解决），那么我会考虑如下：

If you are talking about securing the app (as opposed to the server/ environment it is on - which I am not really qualified to address) then I would consider the following:

确保任何用​​户输入解析/清洗，以确保他们不能做的事情，如 SQL注入攻击的。这包括其中所述用户输入可以存储在查询字符串任何Ajax请求。 在传递到从查询字符串的应用程序其实有什么要进行验证/以这种方式清洗 请您使用任何的密码？如果是使用SSL来阻止任何数据包嗅探。和与盐 散列你的密码在你的数据库 在快速谷歌挖了这个看起来pretty的好： HTTP：//www.securityfocus。 COM /富可视/ 1706 在确保用户输入 HTTP的一些技巧：// WWW .dagondesign.com /用品/写入安全-PHP-脚本部分-1 / Ensure any user inputs are parsed/cleaned to ensure they can't do things such as SQL injection attacks. This includes any ajax requests where the user input can be stored on the query string. In fact anything passed into the app from the query string should be validated/cleaned in this manner. Do you use any passwords? If so use SSL to stop any packet sniffing. And hash your passwords in your database with a salt A quick Google dug up this which looks pretty good: http://www.securityfocus.com/infocus/1706 Some tips on securing user input http://www.dagondesign.com/articles/writing-secure-php-scripts-part-1/