mirror of
https://github.com/sigmasternchen/php-doc-en
synced 2025-03-15 16:38:54 +00:00
c030e2adf7
- All id attributes are now xml:id - Add docbook namespace to all root elements - Replace <ulink /> with <link xlink:href /> - Minor markup fixes here and there git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@238160 c90b9560-bf6c-de11-be94-00142212c4b1
71 lines
2.9 KiB
XML
71 lines
2.9 KiB
XML
<?xml version="1.0" encoding="iso-8859-1"?>
|
|
<!-- $Revision: 1.4 $ -->
|
|
<!-- splitted from ./index.xml, last change in rev 1.66 -->
|
|
<chapter xml:id="security.general" xmlns="http://docbook.org/ns/docbook">
|
|
<title>General considerations</title>
|
|
<simpara>
|
|
A completely secure system is a virtual impossibility, so an
|
|
approach often used in the security profession is one of balancing
|
|
risk and usability. If every variable submitted by a user required
|
|
two forms of biometric validation (such as a retinal scan and a
|
|
fingerprint), you would have an extremely high level of
|
|
accountability. It would also take half an hour to fill out a fairly
|
|
complex form, which would tend to encourage users to find ways of
|
|
bypassing the security.
|
|
</simpara>
|
|
<simpara>
|
|
The best security is often unobtrusive enough to suit the
|
|
requirements without the user being prevented from accomplishing
|
|
their work, or over-burdening the code author with excessive
|
|
complexity. Indeed, some security attacks are merely exploits of
|
|
this kind of overly built security, which tends to erode over time.
|
|
</simpara>
|
|
<simpara>
|
|
A phrase worth remembering: A system is only as good as the weakest
|
|
link in a chain. If all transactions are heavily logged based on
|
|
time, location, transaction type, etc. but the user is only
|
|
verified based on a single cookie, the validity of tying the users
|
|
to the transaction log is severely weakened.
|
|
</simpara>
|
|
<simpara>
|
|
When testing, keep in mind that you will not be able to test all
|
|
possibilities for even the simplest of pages. The input you
|
|
may expect will be completely unrelated to the input given by
|
|
a disgruntled employee, a cracker with months of time on their
|
|
hands, or a housecat walking across the keyboard. This is why it's
|
|
best to look at the code from a logical perspective, to discern
|
|
where unexpected data can be introduced, and then follow how it is
|
|
modified, reduced, or amplified.
|
|
</simpara>
|
|
<simpara>
|
|
The Internet is filled with people trying to make a name for
|
|
themselves by breaking your code, crashing your site, posting
|
|
inappropriate content, and otherwise making your day interesting.
|
|
It doesn't matter if you have a small or large site, you are
|
|
a target by simply being online, by having a server that can be
|
|
connected to. Many cracking programs do not discern by size, they
|
|
simply trawl massive IP blocks looking for victims. Try not to
|
|
become one.
|
|
</simpara>
|
|
</chapter>
|
|
|
|
<!-- Keep this comment at the end of the file
|
|
Local variables:
|
|
mode: sgml
|
|
sgml-omittag:t
|
|
sgml-shorttag:t
|
|
sgml-minimize-attributes:nil
|
|
sgml-always-quote-attributes:t
|
|
sgml-indent-step:1
|
|
sgml-indent-data:t
|
|
indent-tabs-mode:nil
|
|
sgml-parent-document:nil
|
|
sgml-default-dtd-file:"../../manual.ced"
|
|
sgml-exposed-tags:nil
|
|
sgml-local-catalogs:nil
|
|
sgml-local-ecat-files:nil
|
|
End:
|
|
vim600: syn=xml fen fdm=syntax fdl=2 si
|
|
vim: et tw=78 syn=sgml
|
|
vi: ts=1 sw=1
|
|
-->
|