清理/过滤用户评论的最佳方法?
我目前正在使用此过程来清理/过滤用户输入的评论 ->
这个用于去除斜杠...然后
if (get_magic_quotes_gpc()) {
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
注释通过这个函数来清理数据...
function my_strip_tags($str) {
$strs=explode('<',$str);
$res=$strs[0];
for($i=1;$i<count($strs);$i++)
{
if(!strpos($strs[$i],'>'))
$res = $res.'<'.$strs[$i];
else
$res = $res.'<'.$strs[$i];
}
return strip_tags($res);
}
之后它使用准备好的语句直接进入数据库..
function add_comment($comment,$type,$update_id,$user_id){
$query="INSERT INTO comment_updates (updateid,userid,comment) VALUES(?,?,?)";
if($stmt=$this->conn->prepare($query)) {
$stmt->bind_param('sss',$update_id,$user_id,$comment);
$stmt->execute();
if($this->conn->affected_rows==1){
$stmt->close();
return true;
}
}
}
我只是想知道这是否足够安全或者是否他们还有其他更好的选择...谢谢
I am currently using this process to Sanitize/Filter comment entered by users ->
This one is used to strip slashes... and
if (get_magic_quotes_gpc()) {
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
Then the comment goes through this function to sanitize the data...
function my_strip_tags($str) {
$strs=explode('<',$str);
$res=$strs[0];
for($i=1;$i<count($strs);$i++)
{
if(!strpos($strs[$i],'>'))
$res = $res.'<'.$strs[$i];
else
$res = $res.'<'.$strs[$i];
}
return strip_tags($res);
}
After this it goes straight into the database using prepared statement..
function add_comment($comment,$type,$update_id,$user_id){
$query="INSERT INTO comment_updates (updateid,userid,comment) VALUES(?,?,?)";
if($stmt=$this->conn->prepare($query)) {
$stmt->bind_param('sss',$update_id,$user_id,$comment);
$stmt->execute();
if($this->conn->affected_rows==1){
$stmt->close();
return true;
}
}
}
I just wanted to know if this is secure enough or if their are any other better alternatives...Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
当考虑将数据存储到数据库时,最重要的事情是转义它;使用
mysql_real_escape_string或mysqli_real_escape_string,或PDO::quote,具体取决于您使用的数据库(或 oracle/pg/... 的其他函数)另一种解决方案是使用准备好的语句(请参阅
mysqli::prepare和/或PDO::prepare-- 旧的mysql_*扩展不支持这些),它将在您所在的位置处理转义数据;-)在考虑 HTML 输出时,您有两种解决方案:
htmlentities或htmlspecialchars:不一定看起来不错,但输出看起来像用户的输入。我会选择第一个或最后一个解决方案;你的感觉更“危险”——但这只是一种感觉^^(总体思路是“不要重新发明轮子”)
The most important thing when thinking about storing data to a database is to escape it ; using
mysql_real_escape_string, ormysqli_real_escape_string, orPDO::quote, depending on the DB you're using (or other functions for oracle/pg/...)Another solution would be to use prepared statements (see
mysqli::prepareand/orPDO::prepare-- those are not supported by the oldmysql_*extension), which will deal with escaping data at your place ;-)When thinking about HTML output, you have two solutions :
htmlentitiesorhtmlspecialchars: not necessarily looking nice, but the output will look like the input of the user.I would go with either the first or the last solution ; yours feels more "dangerous" -- but that's only a feeling ^^ (the general idea being "do not reinvent the wheel")
不要编写自己的 HTML 清理程序。您将创建 XSS 漏洞。
如果您要编写自己的测试,至少运行 ha.ckers.org xss Smoketests
这些测试和 htmlpurifier 过滤器比较之间,您应该能够很好地了解html 清理是多么复杂——以及为什么您应该将其留给专业人士。
Don't write your own HTML sanitizer. You'll create XSS holes.
If you're going to write your own, at least run the ha.ckers.org xss smoketests against it
Between those tests, and the htmlpurifier comparison of filters, you should be able to get a good idea of just how complicated html sanitization is -- and why you should leave it to the pros.
你的魔术引号处理很好,尽管如果你创建带引号的 get 参数,你也需要删除键。 :)
至于条带标签,最好使用真正的 HTML 过滤器库。 html 涉及很多曲折,因此您不应该相信任何只制作一次就忘记的东西。人们花时间制作这些 HTML 过滤器,因此请利用他们的工作为您带来优势。
至于“直接进入数据库”,在绑定参数中,当然,那太好了。您可以安全地将任何内容放入绑定参数中。在带引号的字符串中,我希望您能够转义结果。
Your magic quotes handling is fine, although if you create get parameters with quotes you need to stripslashes the keys too. :)
As for strip tags, you are better off with a real HTML filter library. There are so many twists and turns involved with html that you just should not trust anything you just make once and forget about. People spend time making those HTML filters so use their work to your advantage.
As for "straight into the DB", well in a bound parameters, sure, that's great. You can safely put anything into a bound parameter. In a string with quotes, I hope you are escaping the result.
将其放入数据库时转义所有字符。检索和显示时,请确保转义 html 格式,例如
Escape all characters when puting it in database. When retrieving and displaying make sure to escape html formating such as
<sometag>so it displays instead of being treated as code.PHP 具有鲜为人知但功能强大的内置卫生功能。我建议使用它们:
PHP 中的输入过滤
filter_input 和 filter_var
PHP has little known but powerful built in sanitation functions. I would recommend using them:
Input filtering in PHP
filter_input and filter_var