转义用户发送的数据?

发布于 10-07 01:50 字数 266 浏览 3 评论 0原文

这是我真正不明白的事情之一。我知道转义任何用户发送的数据非常重要。有很多方法可以做到这一点:stripslashes()(删除反斜杠)、strip_tags(删除 HTML 和 PHP 标签)、htmlSpecialChars(例如,将 & 更改为 &)、正则表达式 (preg_match()) 以不允许处理“坏”数据。

何时使用、如何使用、为什么使用?

This is one of things that I really don't get. I know that it's super-important to escape any user sent data. There are lot of methods how to do that: stripslashes() (removes backslashes), strip_tags (removes HTML and PHP tags), htmlSpecialChars (for example, change & to &), regex's (preg_match()) to do not allow process "bad" data.

When to use, how to use, why to use?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

[旋木]2024-10-14 01:50:52

如果您获取 $_POST['album_name'] 的内容,并将其直接放在您的页面上,那么有人可以提交 HTML 和 JavaScript,它们随后将成为页面的一部分,现在您的网站已被黑客入侵。

或者,您可以获取 $_POST['album_name'] 的内容并将其放入 SQL 查询中。但是用户已经编写了他们自己的 SQL 查询,您现在已经运行了该查询,并且现在您的数据库已被黑客攻击。

http://xkcd.com/327/

If you take the contents of, say, $_POST['album_name'], and out put it directly on your page, then someone could submit HTML and JavaScript, which would then become a part of the page, and now your site is hacked.

Or, you could take the contents of $_POST['album_name'] and put it into an SQL query. But the user has written their own SQL query, which you have now run, and now your database is hacked.

http://xkcd.com/327/

谁把谁当真2024-10-14 01:50:52

这个问题很广泛。这实际上取决于您转义数据的目的。

例如,使用 stripslashesstrip_tags 非常适合转义要在网络浏览器中显示的数据。但这对于数据库查询来说没有什么好处。

另一方面,数据库转义机制在将用户数据发送到数据库引擎时很有用,但在尝试防止 XSS 攻击时却没有用处。

每个转义函数都有一个必须使用的特定上下文。

This question is very broad. It really depends what you are escaping the data for.

Per example, using stripslashes and strip_tags is good for escaping data to be displayed in a web browser. But it's no good for database queries.

On the other hand, database escaping mechanisms are good when sending user data to a database engine, but they're no good when trying to prevent XSS attacks.

Each escaping function have a specific context where it has to be used.

顾铮苏瑾2024-10-14 01:50:52

顺便说一句:在 PHP 中过滤用户输入数据的最佳实践是使用 filter_input< /代码>

示例:

$userId = filter_input(INPUT_GET, 'user_id', FILTER_SANITIZE_NUMBER_INT);
$username = filter_input(INPUT_GET, 'username', FILTER_SANITIZE_SPECIAL_CHARS);
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);

更多过滤器常量此处

BTW: The best practice to filter user input data in PHP is using filter_input.

Examples:

$userId = filter_input(INPUT_GET, 'user_id', FILTER_SANITIZE_NUMBER_INT);
$username = filter_input(INPUT_GET, 'username', FILTER_SANITIZE_SPECIAL_CHARS);
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);

More filters constants here.

天煞孤星2024-10-14 01:50:52

如果您的数据要进入数据库,则必须防止用户发送超出正常查询的数据以破坏或修改该查询。使用带有参数绑定的 MySQLi 是当前保护数据库的最佳方法。只要您还使用字符串或 preg 替换即可。这样就确保整数 ID 是 int。您希望从数据中删除逻辑上尽可能多的字符。

如果您的数据要放置在标签之间,则 strip_tags 后跟 htmlentities 是一个很好的做法。但是,如果您可以使用白名单,那就这样做。如果您知道输出只能是 int,请确保它是 int。 echo htmlentities(strip_tags($value));

如果您将该数据放入标签内 以上还不够。您还必须替换单引号。在这里,更重要的是防止有毒数据进入。如果 $value 类似于 ' onClick='alert("oops");' 您可能会陷入严重的困境。在这里,您绝对应该使用白名单,并且仅在绝对必要时才允许用户输入的内容出现在此处。

如果你想输出到 JavaScript 中。不。即使您已经从事安全工作多年,也不应该这样做。然而。对于非常具体的值可以有一个例外。整数。锁定为 A-Za-z0-9 和空格的字符串用 preg 替换。然而。这是非常危险的,可能会严重损害您的系统。

如果您想将变量放入 eval 或 exec 中。只是不要。你不够聪明,无法阻止攻击。我也不是,没有人是。有人找到方法只是时间问题。如果最初编写的代码没问题?稍后,代码将发生更改,并且不再适用。只是不要这样做。时期。或者有一天,你会坐在监狱里,心里想:“但我并没有侵入五角大楼……”

If your data is going into the database, you must prevent users from sending data that will escape out of your normal query to break or modify that query. Using MySQLi with parameter binding is the current best way to protect your database. So long as you also use a string or preg replace as well. So that an integer ID is ensured to just be an int. You want to remove as many characters as you logically can from your data.

If your data is going to be placed in-between tags, strip_tags followed by htmlentities is a good practice. However, if you can use a white list, do. If you know the output should only be an int, make sure it is. echo htmlentities(strip_tags($value));

If you are placing that data inside a tag <a href='<?php echo $value; ?>'> the above is not enough. You must also replace single quotes. Here, it is even more vital that you prevent poisoned data from making it in. If $value was something like ' onClick='alert("oops");' you might be in a serious bind. Here you should absolutely use a white list, and only allow user entered content to appear here if you absolutely must.

If you want to output into a JavaScript. Don't. You shouldn't do this even if you've been working with security for years. However. The one exception can be made for VERY specific values. Integers. Strings that are locked to A-Za-z0-9 and space with a preg replace. However. This is VERY dangerous and can seriously compromise your system.

If you want to put variables inside an eval or exec. JUST DON'T. You are not smart enough to prevent an attack. Neither am I. No one is. It is just a matter of time before someone finds a way. And if the code as it was first written was fine? At some later date the code will get changed and won't be fine anymore. Just don't do it. Period. Or one day you'll be sitting in prison wondering to yourself, "But I didn't hack into the pentagon..."

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文