终极清洁/安全功能
我有很多来自 $_GET
和 $_POST
的用户输入...目前我总是写 mysql_real_escape_string($_GET['var'])< /code>..
我想知道你是否可以创建一个函数来立即保护、转义和清理 $_GET
/$_POST
数组,所以你不会'每次处理用户输入等时都不必处理它。
我正在考虑一个函数,例如 cleanMe($input)
,在它内部,它应该执行 mysql_real_escape_string
、htmlspecialchars
、strip_tags
、stripslashes
(我认为这就是让它干净和安全的全部),然后返回$input
。
那么这可能吗?制作一个适用于所有 $_GET
和 $_POST
的函数,因此您只需这样做:
$_GET = cleanMe($_GET);
$_POST = cleanMe($_POST);
因此在稍后的代码中,当您使用例如 $_GET 时['blabla']
或 $_POST['haha']
,它们是安全的、剥离的等等?
自己尝试了一下:
function cleanMe($input) {
$input = mysql_real_escape_string($input);
$input = htmlspecialchars($input, ENT_IGNORE, 'utf-8');
$input = strip_tags($input);
$input = stripslashes($input);
return $input;
}
I have a lot of user inputs from $_GET
and $_POST
... At the moment I always write mysql_real_escape_string($_GET['var'])
..
I would like to know whether you could make a function that secures, escapes and cleans the $_GET
/$_POST
arrays right away, so you won't have to deal with it each time you are working with user inputs and such.
I was thinking of an function, e.g cleanMe($input)
, and inside it, it should do mysql_real_escape_string
, htmlspecialchars
, strip_tags
, stripslashes
(I think that would be all to make it clean & secure) and then return the $input
.
So is this possible? Making a function that works for all $_GET
and $_POST
, so you would do only this:
$_GET = cleanMe($_GET);
$_POST = cleanMe($_POST);
So in your code later, when you work with e.g $_GET['blabla']
or $_POST['haha']
, they are secured, stripped and so on?
Tried myself a little:
function cleanMe($input) {
$input = mysql_real_escape_string($input);
$input = htmlspecialchars($input, ENT_IGNORE, 'utf-8');
$input = strip_tags($input);
$input = stripslashes($input);
return $input;
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
通用卫生功能的想法是一个破碎的概念。
每种目的都有一种正确的卫生方法。在字符串上不加区别地运行它们通常会破坏它——转义 SQL 查询的一段 HTML 代码会破坏它在网页中的使用,反之亦然。应在使用数据之前应用卫生:
在运行数据库查询之前。正确的卫生方法取决于您使用的图书馆;它们列于 如何防止 PHP 中的 SQL 注入?
htmlspecialchars()
用于安全 HTML 输出preg_quote()
用于在正则表达式中使用escapeshellarg()
/escapeshellcmd()
for在外部命令中使用等。等等
使用“一刀切”的卫生功能就像对一株植物使用五种剧毒杀虫剂,而根据定义,该植物只能含有一种虫子 - 结果却发现你的植物被第六种杀虫剂侵扰,而任何杀虫剂都对其不起作用。
始终使用一种正确的方法,最好是在将数据传递给函数之前直接使用。除非需要,否则永远不要混合使用方法。
The idea of a generic sanitation function is a broken concept.
There is one right sanitation method for every purpose. Running them all indiscriminately on a string will often break it - escaping a piece of HTML code for a SQL query will break it for use in a web page, and vice versa. Sanitation should be applied right before using the data:
before running a database query. The right sanitation method depends on the library you use; they are listed in How can I prevent SQL injection in PHP?
htmlspecialchars()
for safe HTML outputpreg_quote()
for use in a regular expressionescapeshellarg()
/escapeshellcmd()
for use in an external commandetc. etc.
Using a "one size fits all" sanitation function is like using five kinds of highly toxic insecticide on a plant that can by definition only contain one kind of bug - only to find out that your plants are infested by a sixth kind, on which none of the insecticides work.
Always use that one right method, ideally straight before passing the data to the function. Never mix methods unless you need to.
简单地通过所有这些函数传递输入是没有意义的。所有这些功能都有不同的含义。通过调用更多转义函数,数据不会变得“更干净”。
如果你想在 MySQL 中存储用户输入,你只需要使用 mysql_real_escape_string 。然后将其完全转义以安全地存储在数据库中。
编辑
另请注意使用其他功能时出现的问题。例如,如果客户端向服务器发送用户名,并且用户名包含与号 (
&
),则您不希望在将其存储到之前调用htmlentities
数据库中,因为数据库中的用户名将包含&
。There is no point in simply passing the input through all these functions. All these functions have different meanings. Data doesn't get "cleaner" by calling more escape-functions.
If you want to store user input in MySQL you need to use only
mysql_real_escape_string
. It is then fully escaped to store safely in the database.EDIT
Also note the problems that arise with using the other functions. If the client sends for instance a username to the server, and the username contains an ampersand (
&
), you don;t want to have calledhtmlentities
before storing it in the database because then the username in the database will contain&
.您正在寻找
filter_input_array()
。但是,我建议仅将其用于业务风格的验证/清理,而不是 SQL 输入过滤。
为了防止 SQL 注入,请使用参数化查询 mysqli 或 PDO。
You're looking for
filter_input_array()
.However, I suggest only using that for business-style validation/sanitisation and not SQL input filtering.
For protection against SQL injection, use parametrised queries with mysqli or PDO.
问题是,对于一种用途来说干净或安全的东西,不会用于另一种用途:清理路径的一部分,mysql查询的一部分,html输出(作为html,或在javascript中或在输入的值中),对于 xml 可能需要不同的东西,这是矛盾的。
但是,一些全球性的事情是可以做的。
尝试使用 filter_input 获取用户的输入。并使用准备好的语句进行 SQL 查询。
不过,您可以创建一些管理输入的类,而不是万能的函数。类似这样的事情:
对于这种事情,如果您在代码中看到任何 $_POST、$GET、$_REQUEST 或 $_COOKIE,您就知道必须更改它。如果有一天您必须更改过滤输入的方式,只需更改您创建的类即可。
The problem is, something clean or secure for one use, won't be for another : cleaning for part of a path, for part of a mysql query, for html output (as html, or in javascript or in an input's value), for xml may require different things which contradicts.
But, some global things can be done.
Try to use filter_input to get your user's input. And use prepared statements for your SQL queries.
Although, instead of a do-it-all function, you can create some class which manages your inputs. Something like that :
With this kind of things, if you see any $_POST, $GET, $_REQUEST or $_COOKIE in your code, you know you have to change it. And if one day you have to change how you filter your inputs, just change the class you've made.
如果您使用 apache 并且拥有服务器的完全访问权限,我可以建议安装“mod_security”吗?!
它确实解决了我的大部分问题。但是,不要仅依赖一两个解决方案,始终编写安全代码;)
更新
找到了这个 PHP IDS(http://php-ids.org/);看起来不错:)
May I suggest to install "mod_security" if you're using apache and have full access to server?!
It did solve most of my problems. However don't rely in just one or two solutions, always write secure code ;)
UPDATE
Found this PHP IDS (http://php-ids.org/); seems nice :)