如果我只清理 GET 和 POST 数据,我可以安全地避免注入吗?
我只是在考虑清理数据以防止注入攻击的最佳方法。有些人喜欢在输出之前立即进行清理,或者在插入数据库之前立即进行清理......但我看到的问题是双重的:(1)如果您错过了参数/变量怎么办? (2) 如果过度消毒怎么办?并不是说它会损害输出,但对你已经知道是安全的东西进行消毒并没有多大意义。
例如,在 PHP 中,我不能用以下内容来包装它们,而不是使用 $_GET 和 $_POST :
function get($var) {
return my_sanitizer($_GET[$var]);
}
还是这还不够?恶意代码还能从哪里潜入?
读完下面的答案后,我意识到这个问题有点愚蠢。这取决于您是要插入数据库还是输出 HTML。在这种情况下,也许最好在使用前进行。不过没关系,包装输出方法也很容易......
I'm just thinking about the best way to go about sanitizing my data to prevent injection attacks. Some people like to sanitize immediately before output, or immediately before insertion to the database... but the problem I see with this is twofold: (1) what if you miss a paramater/variable? (2) what if you're over-sanitizing? Not that it would hurt the output, but there's not much sense sanitizing stuff you already know is safe.
For example, in PHP instead of using $_GET and $_POST couldn't I wrap those with something like:
function get($var) {
return my_sanitizer($_GET[$var]);
}
Or would that not be enough? Where else could malicious code sneak in?
After reading the answers below I realize this question was a bit foolish. It depends on if you're inserting to the database, or outputting HTML. In that case, perhaps it is better to do just before usage. That's okay though, it's easy enough to wrap output methods too...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
消毒的方式不止一种,注射的方式也不止一种。例如,您通常希望在输出之前清理或转义 HTML 和 JS。但适当的选择(例如,删除所有 HTML、允许 HTML 在白名单中、让用户输入其他内容或只是转义它以使其显示为文本)取决于应用程序。
就数据库注入而言,我同意 Nate 的观点,您应该为此使用准备好的语句(有时这些语句使用内部转义,但这不是您关心的问题)。
总之,在获取任何数据后立即运行的自制包罗万象的 my_sanitizer 可能是错误的选择。
There's more than one kind of sanitization, and more than one kind of injection. For instance, you'll generally want to sanitize or escape HTML and JS sometime before output. But the appropriate choice (e.g., stripping out all HTML, allowing HTML in a whitelist, making the user enter something else, or just escaping it so it shows as text) depends on the application.
As far as database injection, I agree with Nate you should use prepared statements for this (sometimes these use escaping internally, but that's not your concern) instead.
In summary, a homemade catch-all my_sanitizer you run immediately upon getting any data is probably the wrong choice.
就我个人而言,我总是在插入数据库之前进行清理;也就是说,如果您有一个基于 SQL 的数据库,则参数化 SQL 和存储过程是确保您不会注入任何会造成伤害的内容的方法。
Personally, I'd always sanitize right before you insert into your database; that said, if you have a SQL based database parameterized SQL and sprocs are the way to go to ensure you aren't injecting anything that will cause harm.
您可以对 $_POST 或 $_GET 数组执行 foreach 并清理所有
$_POST[$key] = addslashes($_POST[$key])<代码>}
you can do a foreach for the $_POST or $_GET array and sanitize all
$_POST[$key] = addslashes($_POST[$key])}