与Resultset对象上的print_r相关的PhalconPHP $ di安全问题显示PDO密码

时间:2015-11-12 10:19:20

标签: security phalcon

假设我想显示特定SELECT语句返回的所有记录。所以我做了一件简单的事情:

<?php
$listings=ProductListings::find(array());//ProductListings is my model
foreach($listings as $listing)
{
  echo '<pre>'.print_r($listing,true).'</pre>';
}
?>

但是,我没有看到一个看起来干净的输出,就像Phalcon所期望的一样,我看到一个巨大的屏幕通过di:protected包含我的配置和令人不安的内容:

[db] => Phalcon\Db\Adapter\Pdo\Mysql Object
    (
        [_eventsManager:protected] => 
        [_descriptor:protected] => Array
           (
               [host] => localhost
               [username] => **myUsername**
               [password] => **myPassword**
               [dbname] => **myDatabaseName**
               [charset] => utf8
           )

我知道某个地方,我会发现自己在做print_r并且数据库信息会公开;或者更糟糕的是,搜索引擎将使用我的敏感数据缓存页面。无论是否有人可以利用这些信息,这都不是重点。当我执行print_r时,我不希望首先显示此类信息。除了安全问题,我不想搜索值得杂乱的页面和页面来查找我感兴趣的数据。

我的问题是,从设计的角度来看,Phalcon开发人员为我们的应用程序增加了另一层安全性,我们有什么选择,所以这些受保护的属性不太可能用一个错误暴露我们的敏感数据我们在调试时滑过print_r?所有与Phalcon相关的对象都存在同样的问题,这些对象存储对di的引用。我想我可以用输出缓冲做一些事情来每次扫描输出以获得可能的滑动,但这只是愚蠢的。考虑到Phalcon的架构,我们可以采取什么样的对策来保证我们的应用程序的安全?

2 个答案:

答案 0 :(得分:2)

Short answer: There is no way to get around this, I'm afraid.

Somewhat longer (but probably equally unsatisfying) answer:

Bear these two facts in mind:

  • print_r is, as you rightly said, a means of debugging. It will print out all the contents of a variable, regardless of how sensitive the information contained might be to you.
  • The concept of dependency injection does not work without a DI container. This container is designed to hold all relevant parts of your application like the database interface, the view engine etc., therefore making it the sacred core of your entire app.

Understand that what you're doing is exposing the inner sanctum of your app by using print_r($di) or on any component therein (because they also hold a reference to the DI). It's probably the worst thing you can do, because - as you correctly pointed out - if you forget to remove one of these debugging calls, it would be a worst case scenario in terms of security.

Conclusion: You have to use another way of doing safer debug outputs. Never output your DI container in its entirety, never output more data than you really need for debugging.

I would recommend limiting that output to stuff like the current route, active controller and action, variables present in your view and possibly other less sensitive data.

If you would like to safely debug your SQL statements, I would recommend reading this part of the Phalcon documentation.

答案 1 :(得分:2)

试试这个

<?php
$listings=ProductListings::find(array());

foreach($listings as $listing)
{
  echo '<pre>'.print_r($listing->toArray(), true).'</pre>';
}
?>