使用 Apache 清理 GET 查询

发布于 2024-10-10 04:50:01 字数 264 浏览 4 评论 0原文

我看到这里有很多关于如何清理数据的讨论。可以吗 就像将此重写规则添加到 .htaccess 一样简单吗?

RewriteRule ^([\w\-]+)$ index.php?page=$1

据我了解,这将只允许字母、数字、_ 和 - 出现在 1 美元中,对吗?

如果您添加 SQL 查询的预准备语句的用法,它应该是相当证明的, 对吗?

不知怎的,感觉太容易了,难以置信,我是不是错过了什么,有什么方法可以巩固它吗?

I see there's a lot of talk here about how to go about sanitizing data. Could it
be as simple as adding this rewrite rule to .htaccess?

RewriteRule ^([\w\-]+)$ index.php?page=$1

To my understanding this will allow only letters, numbers, _ and - in $1, am I right?

If you add to this usage of prepared statements for SQL queries, it should be pretty proof,
is that right?

Somehow feels like too easy to be true, am I missing something, any ways to firm it up?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

近箐 2024-10-17 04:50:01

如果您添加 SQL 查询的准备语句的用法,它应该是很好的证明,对吗?

并非如此,因为您的规则对于大多数用例来说过于严格。以字符串输入中的变音符号为例。您需要允许某些输入使用一些非 ASCII 字符。此类数据在 URL 中采用百分比编码,因此您必须开始过滤掉某些字符,并且即使这样对于安全来说也是毫无用处的。除了数据库注入之外,攻击媒介还有很多很多。

对于所有这些危险,没有“一刀切”的卫生方法。对于每种情况(在文件名中使用;在 HTML 输出中;在 Javascript 输出中;在电子邮件中......),都有一种正确的方法。在 Web 服务器级别过滤掉“无效”字符并不实际 - 为了完美的安全性,您必须使用 Apache 语法重新创建所有这些特定的卫生功能,这几乎是不可能的。

另请参阅:PHP:终极清洁/安全功能

If you add to this usage of prepared statements for SQL queries, it should be pretty proof, is that right?

Not really, because your rule is too strict for most use cases. Think for example of Umlauts in string inputs. You will need to allow some non-ASCII characters for some inputs. Such data is percent encoded in URLs, so you would have to start filtering out certain characters, and even that would be useless for security. There are many, many more attack vectors than just database injections.

For all those dangers, there is no "one size fits all" sanitation method. For every scenario (Use in file names; in HTML output; in Javascript output; in E-Mails.....), there is one right way. Filtering out "invalid" characters on web server level is not really practical - for perfect security, you would have to re-create all those specific sanitation functions in Apache syntax, which is close to impossible.

See also: PHP: the ultimate clean/secure function

神经大条 2024-10-17 04:50:01

如果您想要在 Web 服务器级别进行操作,您可能需要使用 mod_security 之类的东西进行调查。它将有助于减轻一些攻击 - 但最终的防御级别必须在 PHP 本身内完成。总会有一种攻击被 Web 服务器认为“很好”,但却会导致应用程序混乱。无论您如何锁定查询参数以防止注入漏洞,您都会错过一些东西。

那么,当您只需在 PHP 中执行一个简单的 mysql_real_escape_string() 并捕获所有内容时,为什么要浪费数小时/数天的时间来想出完美的 RewriteRule 呢?

You may want to investigate using something like mod_security if you're wanting to things at the web server level. It will help mitigate some attacks - but the ultimate level of defense will have to be done within PHP itself. There will always be an attack that will be considered "just fine" by the web server, but cause chaos in your application. No matter how well you lock down query parameters to prevent injection vulnerabilities, there'll be something you missed.

So why waste hours/days of your time coming up with the perfect RewriteRule when you can just do a simple mysql_real_escape_string() within PHP and catch everything right there?

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文