该功能对是否适合消毒?
这取自 O'Reilly 的《学习 PHP、MySQL 和 Javascript》:
function sanitizeString($var)
{
$var = stripslashes($var);
$var = htmlentities($var);
$var = strip_tags($var);
return $var;
}
function sanitizeMySQL($var)
{
$var = sanitizeString($var);
$var = mysql_real_escape_string($var);
return $var;
}
这就是处理 POST 和 GET 数据所需要的吗?考虑到来源,我担心这对初学者来说已经被简化了,我会让自己在以后很容易受到攻击。
谢谢。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
不要使用旧的 MySQL 驱动程序和 mysql_real_escape_string,而是使用支持 准备好的语句(例如PDO)。
htmlentities将转换 '<'和“>”到其等效的 HTML 字符实体中,因此在htmlentities之后调用strip_tags将不会产生任何影响。仅当启用魔术引号时才应调用
stripslashes(使用get_magic_quotes_gpc< /a> 和get_magic_quotes_runtime来测试这一点)。Rather than using the old MySQL driver and
mysql_real_escape_string, use a more modern driver that supports prepared statements (e.g. PDO).htmlentitieswill convert '<' and '>' into their equivalent HTML character entities, so callingstrip_tagsafterhtmlentitieswill have no affect.stripslashesshould only be called if magic quotes are enabled (useget_magic_quotes_gpcandget_magic_quotes_runtimeto test for this).不可能普遍地、不加区别地“清理”传入的数据。这始终取决于您想用它做什么。
sanitizeString() 方法适合清理您无法信任的内容(例如来自不安全表单的内容),这些内容将在页面的 HTML 输出中显示。 没有别的。它将删除标签等信息,并修改特殊字符。
sanitizeMySQL() 方法可以做到这一点,并且可以安全地在 mySQL 查询中使用。同样,只有当您想要减少用户输入(例如留言簿或留言箱)时,这才有用。如果您的 CMS 具有授权用户,您就不会希望这样做。
在任何情况下都始终将其应用于所有传入变量。例如,如果您有一个通过电子邮件转发给您的订单表格,
htmlspecialchars()会将所有特殊字符转换为实体 - 按字面显示(如")在纯文本电子邮件中。你不会想这么做的。有关我认为使用什么卫生设施的一般概述这个 是一个很好的答案。此外,如果您要根据传入数据发送电子邮件,请查看邮件注入。
It's not possible to generally and indiscriminately "sanitize" incoming data. It always depends on what you want to do with it.
The sanitizeString() method is suitable to clean up content that you can't trust (e.g. from an unsecured form) that is to be displayed within the HTML output of your page. Nothing else. It will remove information such as tags, and it will modify special characters.
The sanitizeMySQL() method will do that, plus make it safe to use in a mySQL Query. Again, this is useful only if you want to strip down user input e.g. for a guest book or a shoutbox. If you had a CMS with authorized users, you would not want to do this.
Under no circumstances always apply this to all incoming variables. If you have an order form for example, that is forwarded to you through E-Mail,
htmlspecialchars()would convert all special characters into entities - that are displayed literally (like") in a text-only E-Mail. You wouldn't want to do that.For a general overview on what sanitation to use where I think this is a good answer. Additionally, if you are going to send E-Mail based on incoming data, check out Mail injections.
没有灵丹妙药可以确保用户输入安全,因为这完全取决于您如何处理它。例如,如果您有一个文本框并将其与上述函数一起使用,它将清除此字符串:
这不是问题...除非您随后在链接的 onclick 属性中使用该用户输入。不太可能?当然。但这是通过反例证明的。
您必须了解用户输入的用途,它可能引入或利用哪些漏洞,然后采取适当的行动。
mysql_real_escape_string()足以阻止 SQL 注入,因此这是理所当然的。阻止 XSS 的含义要模糊得多。There is no magic bullet function to make user input safe because it depends entirely on what you do with it. For example, if you have a textbox and use it with the above function it will clear this string:
which isn't a problem... unless you then use that user input in an onclick attribute of a link. Unlikely? Sure. But it's proof by counterexample.
You have to understand what you're using the user input for, what vulnerabilities it might introduce or exploit and then act appropriately.
mysql_real_escape_string()is sufficient to stop SQL injection so that's a no-brainer. To stop XSS is a lot more nebulous.好的开始。理想情况下,对于非自由格式的内容,您可以使用 switch 语句(或其他语句)中的输入来查找硬编码值以进入 SQL。这有助于防止消毒过程中遗漏的事情。
Good start. Ideally, for things that are not freeform, you could use the input in a switch statement (or whatever) to lookup hardcoded values to go into the SQL. That helps prevent things the sanitizing missed.