PHP 仍然是创建动态网站最热门的选择之一,因为开发人员水平参差不齐,因此网络上很多网站都有潜在的风险。因此,我们综合了10个最佳的 PHP 安全库推荐给开发者,这将有助于他们创建安全的 Web 应用程序的安全接口。
1. PHP Intrusion Detection System
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.
2. PHP Password Lib
PHP-PasswordLib aims to be an all-inclusive cryptographic library for all cryptographic needs. It is meant to be easy to install and use, yet extensible and powerful enough for even the most experienced developer.
3. PHPSecLib
phpseclib is designed to be ultra-compatible. It works on PHP4+ (PHP4, assuming the use ofPHP_Compat) and doesn’t require any extensions. For purposes of speed, mcrypt is used if it’s available as is gmp or bcmath (in that order), but they are not required.
4.TCrypto
TCrypto is a simple and flexible PHP 5.3+ in-memory key-value storage library. By default, a cookie will be used as a storage backend. TCrypto has been designed from the ground up with security in mind. Safe algorithms and modes. Automatic and safe initialization vector creation. Encryption and authentication key creation (Keytool) using strong randomness. Key rotation (versioned keys). TCrypto can be used as a scalable “session handler”. Especially scalable, if cookies are used as a storage backend. This is a bit like Ruby on Rails sessions.
5. HTML Purifier
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C’s specifications.
6. URLcrypt
URLcrypt makes it easy to securely transmit short pieces of binary data in a URL. Use it to securely store things like user IDs, download expiration dates, and more. URLcrypt uses 256-bit AES symmetric encryption to securely encrypt data, and encodes and decodes Base 32 strings that can be used directly in URLs.
7. Hybrid Auth
HybridAuth is an open source PHP library for authenticating through multiple social services and ID providers. The services supported include OpenID,Facebook, LinkedIn, Google,Twitter, Windows Live, Foursquare, Vimeo, Yahoo, PayPal and more. It can be integrated easily into existing websites by inserting a file and few lines to the sign-in/up pages.
8. Security Check – Sensiolabs
This tool is almost essential to both beginners and experienced PHP coders. The way it works is quite simple, you upload your .lockfile and it does the rest for you. If you look at the stats, the numbers of vulnerabilities found is quite staggering, don’t be surprised if your own projects might output some nasty stuff that you have missed.
9. PHP Login Project
PHP-login Project is a script for adding authentication to your PHP projects. There are multiple tutorials available for installing it on various server configurations, as well as a minimal and one-file versions of the script.
10. SecurityMultiTool
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks. The purpose of the library is to serve as both a useful set of utilities and to act as a set of reference implementations which can be learned from. It may be used by applications regardless of whether they are web application framework based or not. The use of a web application framework does not guarantee your security.