为什么 php 不能将引号转换为 mysql 的 html 实体?

发布于 2024-08-03 18:54:34 字数 295 浏览 8 评论 0原文

PHP 默认使用“魔术引号”,但它受到了很多批评。我知道它将在 PHP 的下一个主要版本中禁用它。

虽然反对它的论点是有道理的,但我不明白的是为什么不直接使用 HTML 实体来表示引号而不是剥离和删除斜杠?毕竟,大部分 mySQL 都用于输出到 Web 浏览器?

例如,'使用 ' 代替 ' ,它根本不会影响数据库。

另一个问题,为什么 PHP 不能只为每个 PHP 版本设置带有此标签

只是好奇。 :)

PHP uses "magic quotes" by default but has gotten a lot of flak for it. I understand it will disable it in next major version of PHP.

While the arguments against it makes sense, what I don't get it is why not just use the HTML entities to represent quotes instead of stripping and removing slashes? After all, a VAST majority of mySQL is used for outputting to web browsers?

For example, ' is used instead of ' and it won't affect the database at all.

Another question, why can't PHP just have configurations set up for each version of PHP with this tag <?php4 or <?php5 so appropriate interpreters can be loaded for those versions?

Just curious. :)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

还在原地等你 2024-08-10 18:54:34

如果您使用数据库内容只是输出到网页,那么将 ' 放入数据库中的字符串列中就可以了。但事实并非如此。

最好在输出时转义输出。这是您唯一一次确定输出将发送到网页,而不是日志文件、电子邮件或其他目的地。

PS:PHP 已经在标准 php.ini 文件中默认关闭了魔术引号。它在 PHP 5.3 中已被弃用,并且将在 PHP 6.0 中完全从该语言中删除。

Putting ' into a string column in a database would be fine, if all you use database content for is outputting to a web page. But that's not true.

It's better to escape output at the time you output it. That's the only time you know for sure that the output is going to a web page -- not a log file, an email, or other destination.

PS: PHP already turns magic quotes off by default in the standard php.ini file. It's deprecated in PHP 5.3, and it will be removed from the language entirely in PHP 6.0.

节枝 2024-08-10 18:54:34

这是一个很好的理由,主要是为了回应您自己发布的答案:使用 htmlspecialchars()htmlentities() 确实不会使您的SQL 查询安全。这就是 mysql_real_escape_string() 的用途。

您似乎假设只有单引号和双引号字符会造成问题。 MySQL 查询实际上容易受到 \x00\n\r\' 的攻击数据中的"\x1a 字符。如果您没有使用准备好的语句或 mysql_real_escape_string(),那么您有SQL 注入漏洞。

htmlspecialchars()htmlentities() 不会转换所有这些字符,因此您无法通过使用这些函数来确保查询安全。 addslashes() 也不能让您的查询安全!

其他较小的缺点包括其他发帖者已经提到的关于 MySQL 并不总是用于 Web 内容,以及事实上,您正在增加数据所需的存储量和索引空间(考虑为引号字符提供一个字节的存储,而为其实体形式考虑六个或更多字节的存储)。

Here's a good reason, mostly in response to your own posted answer: Using htmlspecialchars() or htmlentities() does not make your SQL query safe. That's what mysql_real_escape_string() is for.

You seem to be making the assumption that it's only the single and double quote characters that pose a problem. MySQL queries are actually vulnerable to the \x00, \n, \r, \, ', " and \x1a characters in your data. If you are not using prepared statements or mysql_real_escape_string(), then you have an SQL injection vulnerability.

htmlspecialchars() and htmlentities() do not convert all of these characters, ergo you cannot make your query safe by using these functions. To that end, addslashes() does not make your query safe either!

Other smaller downsides include what the other posters have already mentioned about MySQL not always being used for web content, as well as the fact that you are increasing the amount of storage and index space needed for your data (consider one byte of storage for a quote character, versus six or more bytes of storage for its entity form).

懵少女 2024-08-10 18:54:34

我只回答你的第一个问题。

无论如何,验证输入都是错误的方法,因为输入并不重要,问题在于它的使用位置。 PHP 不能假设 MySQL 查询的所有输入都会输出到 HTML 实体有意义的上下文。

很高兴看到 magic_quotes 正在运行;这是 PHP 出现许多安全问题的原因,很高兴看到他们采用新方法:)

如果您针对您正在工作的上下文重新构建验证方法以在 OUTPUT 上进行验证,那么您将为自己带来很大帮助只有你作为程序员才能知道这一点。

I will reply to your first question only.

Validation of input is a wrong approach anyway, because it's not input that matters, the problem is where it's used. PHP can't assume that all input to a MySQL query would be output to a context where a HTML Entity would make sense.

It's nice to see that magic_quotes is going; it's the cause of a lot of security issues with PHP, and it's nice to see them taking a new approach :)

You'll do yourself a big favour if you reframe your validation approaches to validate on OUTPUT, for the context you are working in. Only you, as the programmer, can know this.

相思故 2024-08-10 18:54:34

MySQL 不将 ' 转换为 ' 的原因是 ' 不是 '。如果您想转换数据以进行输出,您应该在视图层而不是数据库中执行此操作。在回显之前/时调用 htmlentities 实际上并不难。

The reason that MySQL doesn't convert ' to ' is because ' is not '. If you want to convert your data for output, you should be doing that at the view layer, not in your database. It's really not very hard to just call htmlentities before/when you echo.

终止放荡 2024-08-10 18:54:34

谢谢大家。我必须认真思考你的意思以及如果我将引号更改为 HTML 实体而不是向它们添加斜杠,它可能会产生什么影响,但同样,这实际上不是也改变了输出/输入吗?

我想不出为什么我们不能或不应该在 mySQL 中使用 HTML 实体,只要我们明确所有数据都是使用 HTML 实体编码的。毕竟,我的论点是基于这样一个事实,即大多数 mySQL 用于输出到 HTML 浏览器,而且 ' 和 " 和 / 会严重损害 mySQL 数据库。所以,对 ' 和 进行编码实际上不是更安全吗? " 和 / 作为 HTML 实体,然后将它们作为 INSERT 查询发送?另外,我们正在使用 XML,那么为什么在访问已在 HTML 实体中编码的数据时还要浪费时间编写 htmlentities、stripslashes 和 addslashes呢?

Thanks everyone. I had to REALLY think what you meant and the implications it may have if I change the quotes to HTML entities instead of adding slashes to them but again, isn't that actually changing the output/input too?

I cannot think of a reason why we CANNOT or SHOULDN'T use HTML entities for mySQL as long as we make it clear that all data is encoded using HTML entities. After all, my argument is based on a fact that the majority of mySQL is used for outputting to HTML browsers and also the fact that ' and " and / can seriously harm mySQL databases. So, isn't it actually SAFER to encode ' and " and / as HTML entities before sending them as INSERT queries? Also, we're going XML so why waste time writing htmlentities and stripslashes and addslashes when accessing data that's ALREADY encoded in HTML entities?

丑丑阿 2024-08-10 18:54:34

您不能仅将 ' 转换为 '。想一想:当你想存储字符串“'”时会发生什么?如果您存储 ',那么当您加载页面时,它将显示 ' 而不是 '

所以现在您必须转换所有 HTML 实体,而不仅仅是引号。然后你开始陷入各种奇怪的转换问题。最简单的解决方案是将真实数据存储在数据库中,然后您就可以按照自己的喜好显示它。您可能想要使用实际的引号 - 在大多数情况下 "' 在标记括号之外不会造成任何损害。

有时您可能希望将实际的 HTML 存储在一个字段并以原始方式显示它(只要在输入/输出时对其进行检查和清理)。

You can't just convert ' to '. Think about it: what happens when you want to store the string "'"? If you store ' then when you load the page it will display ' and not '.

So now you have to convert ALL HTML entities, not just quotes. Then you start getting into all sorts of weird conversion problems. The simplest solution is to just store the real data in the database, then you can display it how you like. You might want to use the actual quotes - in most cases " and ' don't do any harm outside of the tag brackets.

Sometimes you may want to store actual HTML in a field and display it raw (as long as it's checked and sanitized on its way in/out.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文