如何防止使用 Zend Framework 编写的应用程序中的 SQL 注入攻击?

发布于 2024-08-24 04:52:32 字数 214 浏览 6 评论 0原文

我对ZF的安全没有任何概念。操作数据库时必须使用Filter吗?也许绑定就足够了?怎么样:

$users->update($data, 'id=1');

$data 数组应该以某种方式过滤吗?请随意写下您所知道的有关该问题的任何内容。

您能否提供一些有关 ZF 安全性的好文章的链接(主要是关于 SQL 注入和 XSS)?

I don't have any concept about ZF safety. Do I have to use Filter when operating on database? Maybe binding is enough ? How about this:

$users->update($data, 'id=1');

Should $data array be filtered somehow ? Feel free to write anything you know about the issue.

Could you give some links to good articles about safety in ZF (mainly about SQL Injection and XSS)?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

森末i 2024-08-31 04:52:32

简短回答
虽然 ZF 采取并提供了一些措施来保护您的应用程序,但您仍然应该采取与没有 Zend Framework 时使用的相同的预防措施。


关于您的代码片段,请查看 参考指南中的 Zend_Db

默认情况下,数据数组中的值是使用参数插入的。这降低了某些类型的安全问题的风险。您不需要对数据数组中的值应用转义或引用。

这并不意味着您不必担心安全问题。例如,对于 更新上面的方法

第三个参数是一个包含 SQL 表达式的字符串,该表达式用作要更改的行的条件。此参数中的值和标识符未加引号或转义。您有责任确保将任何动态内容安全地插入到该字符串中。请参阅引用值和标识符 了解帮助您做到这一点的方法。

注意由于您显然使用的是Zend_Db_Table,因此第三个参数是第二个参数。在内部,表实例会将调用委托给数据库适配器,第一个参数是表实例的表名。


关于 Zend_View 和 XSS 攻击向量:

Zend_View 附带了一组初始的帮助器类,其中大部分与表单元素生成相关并自动执行适当的输出转义。

同样,其中的大部分并不意味着全部。 Zend_View 确实提供 Zend_View::escape() 帮助您清理输出,但这没什么特别的。

Short answer
While ZF takes and provides some measures to secure your app, you should still apply the same precautions that you'd use without Zend Framework.


Regarding your code snippet, check out the Chapter on Zend_Db in the Reference Guide:

By default, the values in your data array are inserted using parameters. This reduces risk of some types of security issues. You don't need to apply escaping or quoting to values in the data array.

This doesn't mean you don't have to bother about security. For instance, for the Update method above

The third argument is a string containing an SQL expression that is used as criteria for the rows to change. The values and identifiers in this argument are not quoted or escaped. You are responsible for ensuring that any dynamic content is interpolated into this string safely. See Quoting Values and Identifiers for methods to help you do this.

Note since you are using Zend_Db_Table obviously, third argument is second argument. Internally, the table instance will delegate the call to the db adapter with the first param being the table instance's tablename.


Regarding Zend_View and XSS attack vectors:

Zend_View comes with an initial set of helper classes, most of which relate to form element generation and perform the appropriate output escaping automatically.

Again most of which does not mean all. Zend_View does provide Zend_View::escape() to help you sanitize output, but this nothing special.

清引 2024-08-31 04:52:32

相同的概念对于 Zend Framework 和所有其他 Web 应用程序/库/任何操作用户数据的内容都有效:

始终验证用户输入。相信没有
一个。

如果您需要一个字符串,请确保您收到一个字符串。这可以使用框架库(例如,在本例中您使用的是 Zend 框架)或手动实现验证函数来执行。

验证必须始终在服务器端执行。还应该存在客户端验证,以提供更好的用户体验。

对于 Zend,请参阅 验证页面手动的。

The same concept is valid for the Zend Framework and for every other web application/library/whatever that manipulate user data:

Always validate user input. Trust no
one.

If you're expecting a string, be sure you receive a string. This can be performed using framework libraries (for example, in this very case you're using the Zend framework) or by manually implementing validation functions.

Validation must ALWAYS be performed on Server Side. Client side validation should also be present, to provide a better user experience.

In the case of Zend, please refer to the Validation page from the manual.

嘿咻 2024-08-31 04:52:32

绑定应该可以防止 SQL 注入,但它无法防止 XSS。您应该始终根据需要过滤数据,并且在视图中回显输出时,应该避免任何可能危险的内容。

echo $this->escape($this->foo);

Binding should prevent SQL injection but it does nothing to prevent XSS. You should always filter your data as necessary and when echoing output in the view, you should escape anything that might be dangerous.

echo $this->escape($this->foo);
忘你却要生生世世 2024-08-31 04:52:32

无论您需要什么特定的东西,我都会建议使用 Zend Filters。您可以在应用程序中的任何位置使用它。

请求参数

$alpha = new Zend_Filter_Alpha();
$name = $alpha -> filter($this -> _request -> getParam('name')); //while processing url parameters

数据库

$int = new Zend_Filter_Int();
$select -> where("id = ?", $int -> filter($id)); //during db processing also

也在表单元素中。我将跳过这个,因为可以找到很多这样的例子。

I will suggest the Use of Zend Filters, wherever you need something specific. You can use this at anypoint in your application.

Request Parameter

$alpha = new Zend_Filter_Alpha();
$name = $alpha -> filter($this -> _request -> getParam('name')); //while processing url parameters

Database

$int = new Zend_Filter_Int();
$select -> where("id = ?", $int -> filter($id)); //during db processing also

Also in Form Elements . I will skip this as example of this can be found abudantly.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文