Htmlentities、addslashes、mysqli_real_escape_string
我一直在阅读有关保护 PHP 应用程序的内容,在我看来,将数据插入 MySQL 表时, mysqli_real_escape_string
是正确的函数,因为 addslashes
可能会导致一些问题。对于聪明的攻击者来说,奇怪的事情会发生。正确的?
然而,有一件事让我感到困惑。我似乎记得在将用户输入的数据回显给用户以保护他们的数据时被告知 addslashes
比 htmlentities
更好,但似乎 addslashes
> 是存在漏洞的一个。这是真的吗,还是我记错了?
I've been doing some reading on securing PHP applications, and it seems to me that mysqli_real_escape_string
is the correct function to use when inserting data into MySQL tables because addslashes
can cause some weird things to happen for a smart attacker. Right?
However, there is one thing that is confusing me. I seem to remember being advised addslashes
is better than htmlentities
when echoing user-entered data back to users to protect their data, but it seems like addslashes
is the one with the vulnerability. Is this true, or am I remembering incorrectly?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
它们是用于不同目的的不同工具。
mysqli_real_escape_string 使数据可以安全地插入 MySQL(但参数化查询更好)。
Htmlentities 使数据可以安全地输出到 HTML 文档
。addslashes 使数据在其他几种情况下安全,但对于 MySQL 来说还不够
They are different tools for different purposes.
mysqli_real_escape_string makes data safe for inserting into MySQL (but parametrized queries are better).
Htmlentities makes data safe for outputting into an HTML document
addslashes makes data safe for a few other situations, but is insufficient for MySQL
您的数据有不同的上下文。将数据插入数据库的上下文需要与渲染 html/xml 甚至电子邮件消息的上下文不同地进行转义。
在所有新代码中应弃用将数据转义到数据库中,以支持准备好的语句。任何告诉你其他情况的人都会对你造成极大的伤害。
根据目标,需要以多种不同的方式对转义到浏览器的数据进行转义。有时 htmlspecialchars 就足够了,有时您需要使用 htmlentities。有时您需要数字实体。您应该对这个主题进行一些研究以了解所有细微差别。
我遵循的一般规则是验证(不过滤,如果不正确则拒绝)输入和验证。转义输出(基于上下文)。
There are different contexts for your data. The context of inserting data into the database needs to be escaped differently than the context of rendering html/xml or even an email message.
Escaping data going into a db should be deprecated in all new code in favor of prepared statements. Anyone who tells you otherwise is doing you a great disservice.
Escaping data going to the browser needs to be escaped in a number of different ways depending on the target. Sometimes htmlspecialchars is enough, sometimes you need to use htmlentities. Sometimes you need numeric entities. It is a topic you should do some research on to know all of the nuances.
The general rule I live by is validate (not filter, reject if incorrect) input & escape output (based on context).
您还可以使用 PDO 库 它为您完成大部分转义,如果您可以在服务器上使用 PHP5。
在回应时,我个人更喜欢 htmlspecialchars,但有人可能会纠正我
You could also use the PDO libs which does most of the escaping for you, in case you may use PHP5 on the servers.
On echoing back I'd personally prefer htmlspecialchars, but one might correct me
是的,对所有用户输入使用 mysqli_real_escape_string 或类似 PDO 的库。当回显时,我使用带有 ENT_QUOTES 作为第二个参数的 htmlentities,因为它将所有适用的字符转义为其 html 实体,包括引号。
yes, use the mysqli_real_escape_string or a library like PDO on all user input. When echoing back, I use htmlentities with ENT_QUOTES as the second parameter, as it escapes all applicable characters to their html entities, including quotes.
注意:应避免在 UTF-8 编码文档中使用 htmlentities()。请参阅:
注意(引自phpwact.org):
Note: Using htmlentities() in an UTF-8 encoded document should be avoided. See:
Pay attention to (quoted from phpwact.org):
PHP 5.2 及更高版本的另一个有趣的解决方案是使用过滤器扩展: http:// /www.php.net/manual/en/book.filter.php
它允许您验证和清理用户输入。有许多内置过滤器可用,它们可以与标志结合起来调整它们的行为。
此外,这些过滤器还可用于验证/清理整数、浮点数、电子邮件、特定正则表达式。
我个人已经开始在我的项目中使用它们来验证表单并输出用户输入的数据,我很高兴我这么做了。不过,当我在 MySQL 数据库中插入值时,我会使用准备好的查询来提高安全性。这些解决方案一起可以帮助避免大多数 SQL 注入和 XSS 类型的攻击。
Another interesting solution for PHP 5.2 and above is to use the filter extension: http://www.php.net/manual/en/book.filter.php
It allows you to validate and sanitize user inputs. There are many built-in filters available and they can be combined with flags to tweak their behaviour.
In addition hese filters can also be used to validate/sanitize ints, floats, emails, specific regular expressions.
I personally have started using them in my projects to validate forms and to output user-entered data, and I am very glad I did. Although, when I insert values in a MySQL database, I use prepared queries for added security. These solutions together can help avoid most SQL injections and XSS-type attacks.
您不能拥有一个“转义”功能并期望它始终有效。有不同的攻击需要特定的卫生程序。理解这个概念的唯一方法是编写一些易受攻击的代码,然后利用它。编写漏洞代码对于理解任何安全系统都至关重要。
例如,此查询容易受到 Sql 注入的攻击:
利用:
http://localhost/sqli_test.php?host=\&name=%20sleep(20 )--%201
mysql 的最佳转义函数是 mysqli_real_escape_string() 但这可能会失败:
利用:
http://localhost/sqli_test.php?id=1%20or%20sleep (20)
事实上,处理sql注入的最好方法不是调用转义函数,而是使用ADODB的参数化查询来进行sql注入。使用 htmlspecialcahrs($var,ENT_QUTOES) 来处理 XSS。请阅读 OWASP Top 10,因为 Web 可能会出现很多问题应用程序安全。
You can't have one "escape" function and expect it to work all of the time. There are different attacks that require specific sanitation routines. The only way to understand this concept is to write some vulnerable code and then exploit it. Writing exploit code is vital to the understanding of any security system.
For instance this query is vulnerable to Sql injection:
Exploit:
http://localhost/sqli_test.php?host=\&name=%20sleep(20)--%201
The best escape function for mysql is mysqli_real_escape_string() but this can fail:
exploit:
http://localhost/sqli_test.php?id=1%20or%20sleep(20)
In fact the best way to take care of sql injection isn't calling an escape function, Its using ADODB's parametrized quires for sql injection. Use htmlspecialcahrs($var,ENT_QUTOES) for XSS. Read the OWASP top 10 because there is a whole lot more than can go wrong with web application security.