验证代码语言的 PHP 函数
我有一个带有 2 个文本区域的表单;第一个允许用户发送 HTML 代码,第二个允许用户发送 CSS 代码。我必须使用 PHP 函数验证语言是否正确。
如果语言正确,为了安全起见,我必须检查是否存在 PHP 代码或 SQL 注入或其他任何内容。
你怎么认为 ?有办法做到这一点吗? 哪里可以找到这种功能呢?
“HTML Purifier”http://htmlpurifier.org/ 是一个好的解决方案吗?
I have a form with 2 textareas; the first one allows user to send HTML Code, the second allows to send CSS Code. I have to verify with a PHP function, if the language is correct.
If the language is correct, for security, i have to check that there is not PHP code or SQL Injection or whatever.
What do you think ? Is there a way to do that ?
Where can I find this kind of function ?
Is "HTML Purifier" http://htmlpurifier.org/ a good solution ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
如果您必须验证将它们插入数据库的日期 - 那么您只需在将它们插入数据库之前使用 mysql_real_escape_string() 函数。
如果您想将数据以纯文本形式输出给最终用户,那么您必须通过 htmlspecialchars() 转义所有 html 敏感字符。如果你想将其输出为 HTML,则必须使用 HTML Purify 工具。
If you have to validate the date to insert them in to database - then you just have to use mysql_real_escape_string() function before inserting them in to db.
If you want to output the data to the end user as plain text - then you have to escape all html sensitive chars by htmlspecialchars(). If you want to output it as HTML, the you have to use HTML Purify tool.
对于原始的东西,您可以使用正则表达式,但应该注意的是,建议使用解析器来完全穷尽所有可能性。
示例:http://regexr.com?2t3e5(更改
<在表达式中返回<,它将起作用(由于某种原因,rexpr 将其更改为 html 格式))编辑
这可能更好,因此他们不能将 php 放置在文档的结尾(因为 PHP 实际上不需要终止字符)
for something primitive you can use regex, BUT it should be noted using a parser to fully-exhaust all possibilities is recommended.
Example: http://regexr.com?2t3e5 (change the
<in the expression back to a<and it will work (for some reason rexepr changes it to html formatting))EDIT
That's probably better so they can't place php at the end of the document (as PHP doesn't actually require a terminating character)
用于 Javascript 的 SHJS 语法突出显示 包含包含正则表达式的文件 http://shjs.sourceforge.net/lang/ 对于突出显示的语言 - 您可以检查 SHJS 如何解析代码。
SHJS syntax highlighter for Javascript have files with regular expressions http://shjs.sourceforge.net/lang/ for languages that highlights — You can check how SHJS parse code.
HTMLPurifier 是推荐的用于清理 HTML 的工具。幸运的是,它还包含 CSSTidy 并且还可以清理 CSS。
你的问题是基于错误的前提。虽然 HTML 可以被清理,但这并不能防范其他可利用性。 PHP“标签”最有可能被过滤掉。如果您正在做其他奇怪的事情(部分包含或评估内容),那没有真正的帮助。
并且只能通过仔细使用正确的数据库转义函数来防止 SQL 漏洞。对此没有什么神奇的解决方案。
HTMLPurifier is the recommended tool for cleaning up HTML. And as luck has it, it also incudes CSSTidy and can sanitize CSS as well.
You are basing your question on a wrong premise. While HTML can be cleaned, this is no safeguard against other exploitabilies. PHP "tags" are most likely to be filtered out. If you are doing something other weird (include-ing or eval-ing the content partially), that's no real help.
And SQL exploits can only be prevented by meticously using the proper database escape functions. There is no magic solution to that.
是的。 htmlpurifier 是一个很好的工具,可以删除恶意脚本并验证 HTML。
但不要认为它可以使用 CSS。显然它也可以使用 CSS。谢谢布里迪斯。Yes. htmlpurifier is a good tool to remove malicious scripts and validate your HTML.
Don't think it does CSS though.Apparently it works with CSS too. Thanks Briedis.好的,谢谢大家。
事实上,我意识到我需要人类的认可。用户可以发布 HTML + CSS,我可以在 PHP 中验证语言和 CSS。语法是正确的,但它并不能避免人们发布 iframe、html 重定向或占据整个屏幕的大黑色 div。
:-)
Ok thanks you all.
actually, i realize that I needed a human validation. Users can post HTML + CSS, I can verify in PHP that the langage & the syntax are correct, but it doesn't avoid people to post iframe, html redirection, or big black div that take all the screen.
:-)