过滤用户数据的最佳方法(xss和sql注入)

发布于 2024-10-30 10:53:12 字数 106 浏览 3 评论 0 原文

我读了很多关于过滤我的网站从用户那里获得的数据的内容,以确保网站在 sql 注入和 xss 中的安全。 。 。 但我在 php 中看到了很多函数,所以我无法决定要做什么。 。 。 请帮助我使它更安全

I read a lot about filtering data which my web site get from user to make web site secure in sql injenction and xss . . .
but I saw a lot function in php so I can't make decide what to do . . .
please help me make it more secure

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

昵称有卵用 2024-11-06 10:53:12

您在这里问了几个问题,所以我将尝试将其分解:

SQL 注入

问题

当您将用户输入直接传递到数据库时,可能会发生这种情况,如下所示:

$query = "SELECT * FROM Table WHERE field = " . $_POST['field'];
$result = mysql_query($query);

用户可以将他们想要的任何内容放入“字段” ' 表单上的字段,数据库将执行它。这意味着用户可以输入恶意字符串,该字符串会提前终止您的预期查询,然后运行自己的查询。

解决方案

不要直接使用用户输入构建查询。相反,您应该考虑使用准备好的语句(这通常使用 PDO< /a> 库)。准备好的语句可以采用多种形式,但它们都涉及在实际查询字符串中使用占位符来告诉数据库将稍后传入的其他数据粘贴到哪里。这样数据库就可以处理任何适当的转义。代码看起来有点像这样:

$statement = $db->prepare("SELECT * FROM Table WHERE field = :field");
$statement->bindValue(":field", $_GET['field']);
$statement->execute();

在本例中,:field 表示稍后由 bindValue 提供的值的占位符。 PDO 将根据需要处理转义。

也就是说,您仍然应该根据需要清理任何用户数据。

XSS

问题

跨站脚本攻击(XSS)是在未经过滤的用户输入直接传回浏览器时发生的。如果用户输入 JavaScript 命令,这些命令可能会在另一个用户浏览器中执行,从而可能允许原始黑客访问该用户的凭据。

解决方案

我不会在这里详细讨论,而是简单地说,可以通过在您设置的任何 cookie 上设置 HttpOnly 标志来避免这种情况,这样它们就无法在 JavaScript 中访问(恶意或其他方式),并且永远不会, 曾经向用户回显未经处理的输入。

清理用户输入

PHP 内置了一些很好的功能,可以清理多种形式的用户输入。我只是建议您查看 filter_var 函数 以及它可以应用的各种过滤器

永远不要只是将用户输入回显给用户。您应该尽力验证您的输入并拒绝任何不符合要求的内容,但是对于需要显示给用户的输入,请始终使用类似 htmlentities()。对于更重但更彻底的选项,您可以查看 HTML Purifier 库。

希望这能让您朝着正确的方向开始。

You're asking a couple questions here, so I'll try to break it down:

SQL Injection

Problem

This can occur when you pass user input directly to the database, something like this:

$query = "SELECT * FROM Table WHERE field = " . $_POST['field'];
$result = mysql_query($query);

The user can put whatever they want into the 'field' field on the form, and the database will execute it. This means a user could enter a malicious string which prematurely terminates your intended query and then runs a query of their own.

Solution

Don't directly construct your queries with user input. Instead, you should look into using prepared statements (This is typically handled with the PDO library). Prepared statements can take several forms, but they all involve using placeholders in the actual query string to tell the database where to stick other data you'll pass in later. That way the database can handle any appropriate escaping itself. The code would look a bit like this:

$statement = $db->prepare("SELECT * FROM Table WHERE field = :field");
$statement->bindValue(":field", $_GET['field']);
$statement->execute();

In this case, :field indicates the placeholder for the value later supplied by bindValue. PDO will take care of the escaping as needed.

That said, you should still sanitize any user data as needed.

XSS

Problem

Cross-Site Scripting, or XSS, occurs when unsanitized user input is passed directly back to the browser. If the user entered JavaScript commands, these commands could be executed in another users browser, possibly allowing the original hacker to gain access to that users credentials.

Solution

Rather than going into a lot of detail here, I'll simply say that this can be avoided by setting the HttpOnly flag on any cookies you set, so that they cannot be accessed in JavaScript (malicious or otherwise), and by never, ever echoing back unsanitized inputs to a user.

Sanitizing User Inputs

PHP has some nice features built in for sanitizing many forms of user input. I'll simply recommend that you check out the filter_var function and the various filters it can apply.

Never just echo user input back to the user. You should do your best to validate your inputs and reject anything that doesn't conform, but for inputs you need to display back to the user, always use something like htmlentities(). For a heavier but much more thorough option, you can take a look at the HTML Purifier library.

Hope that gets you started in the right direction.

岁吢 2024-11-06 10:53:12

假设您正在运行 MySQL,大多数 SQL 注入都可以使用 mysql_real_escape_string() 来阻止。其他数据库系统也有类似的功能。

保护您的网站免受 XSS 攻击更为复杂。防止 javascript 代码注入的最简单方法是使用 strip_tags() 剥离所有 HTML 标记,但这也会阻止使用像 这样的无害标记,尽管它们如果需要,可以将其列入白名单。

Most SQL injections can be prevented with mysql_real_escape_string(), assuming you're running MySQL. Other database systems also have similar functions.

Protecting your site from XSS attacks is more complicated. The simplest way to prevent javascript code injection is stripping away all HTML tags with strip_tags(), but that will prevent using harmless tags like <b> as well, though they can be whitelisted if needed.

音盲 2024-11-06 10:53:12

我能给你的唯一通用建议是学习:

  • 准备好的语句以避免SQL注入
  • StackOverflow 等自定义标记语言用于避免 XSS 攻击

  • The only generic advice I can give you is to learn:

  • Prepared statements to avoid SQL injections
  • A custom markup languages like StackOverflow is using to avoid XSS attacks

  • ~没有更多了~
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文