使用 MySQL 触发器来替换输入
是否可以创建一个触发器,在插入或更新行时,可以使用 REPLACE 函数将表中所有列的字符替换为其转义的等效项(具体来说,使输入 html 安全),而无需知道所有字段名称(以便该函数可以应用于多个表)。我 115% 同意这种事情应该始终在应用程序级别完成,但由于特殊情况,我想将其添加为数据库级别的故障保护。
我对触发器很陌生,所以别着急,但我想做一些事情来达到以下效果:
create trigger if not exists makeHTMLsafe after insert on tablename
begin
loop over all columns in tablename
new.value = REPLACE(old.value,"<","<")
end
Is it possible to create a trigger that, upon inserting or updating a row, can use the REPLACE function to replace characters with their escaped equivalents (specifically, making input html safe) for all the columns in the table without having to know all the field names (so that this function can be applied to multiple tables). I agree 115% that this sort of thing should always be done at the application level, but due to unique circumstances I'd like to add this as a failsafe at the database level.
I'm very new to triggers, so take it easy on me, but I want to do something to the effect of:
create trigger if not exists makeHTMLsafe after insert on tablename
begin
loop over all columns in tablename
new.value = REPLACE(old.value,"<","<")
end
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
转义很复杂并且容易出错。
你不应该永远尝试推出自己的转义函数,这只是冒险。
你不但不会让事情变得更安全,反而会让事情变得更不安全。
在前端使用专门的 html 转义函数。
使用 php 时,
htmlentities是最好的选择:http:// /php.net/manual/en/function.htmlentities.php
另请参阅:什么是在 PHP 站点中避免 xss 攻击的最佳实践
Escaping is complicated and error-prone.
You should never try to roll your own escaping function, it is just to risky.
Instead of making things more secure you will make then far less secure.
Use the specialized html escaping functions in your front-end.
When using php,
htmlentitiesis your best bet:http://php.net/manual/en/function.htmlentities.php
See also: What are the best practices for avoiding xss attacks in a PHP site