OOP 安全/验证在方法内部还是外部?

发布于 2024-11-02 18:58:45 字数 203 浏览 4 评论 0原文

我有一个用于将数据插入数据库的类,并且传递给此类方法的信息必须进行转义和验证。验证和转义数据的最佳实践是什么?应该在方法的实现内部完成,还是应该在使用该类的脚本文件中完成,以便在转移到该类之前信息有效且安全?我过去曾用这两种方式做过,并且一直想知道大多数人是用哪种方式做的。 (如果重要的话,我会用 PHP 编写代码,但对我来说,这似乎更像是一个一般的编程实践问题。)

谢谢!

I have a class that is used to insert data into the database, and the information passed to this class' methods must be escaped and validated. What is the best practice for validating and escaping data? Should it be done inside the method's implementation, or should it be done in the script file that is using the class, so that the information is valid and secured before moving onto the class? I have done it both ways in the past and have always wondered which way it was that most people did it. (I code in PHP if it matters, but it seems more like a general programming practices question to me.)

Thank you!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

墨小沫ゞ 2024-11-09 18:58:45

这在某种程度上取决于数据处理方面的体系结构类型,但是......

一般来说,将数据插入数据库的类(我们称之为持久性类)应该执行 SQL 转义。如果值必须是特定类型(例如 VARCHAR、INT),它还可以验证这些值,或者让数据库针对不正确的数据类型抛出错误。

对于更具体的验证,最好将其包含在域模型或处理直接输入(例如 GET 和 POST)的其他代码中。

如果您使用域模型对象,它们应该包含可用于确保它们有效的方法,或者它们不应该接受根据模型要求无效的数据。然后,持久性类可以简单地处理域对象,或者通过域对象的存储库。

在一个更简单的场景中,您只有一个具有较少独立层的脚本,数据验证可能应该在脚本将数据移交给持久性类之前完成。 (在 PoEAA 中,如果您好奇的话,这可能最接近事务脚本模式)

This somewhat depends on the type of architecture you have with regards to your data processing, but...

In general, classes which insert data into the database (Let's call them persistence classes) should perform SQL escaping. If the values must be of specific types (eg. VARCHAR, INT), it could also validate those, or leave it up to the database to throw up an error for incorrect data types.

For more specific validation, it would probably be a good idea to include it in your domain models or other code which processes the immediate inputs (eg. GET and POST).

If you use domain model objects, they should contain a method that can be used to make sure they are valid, or alternatively they should not accept data that is not valid as per the requirements of the model. The persistence class could then simply deal with the domain objects, or through the domain object's repository.

In a simpler scenario where you only have a script with less separate layers, the validation of data should probably be done before the script hands the data over to the persistence class. (In PoEAA this is probably closest to the transaction script pattern, if you're curious)

表情可笑 2024-11-09 18:58:45

我认为在将数据传递给持久性方法之前应该对其进行验证。

转义应该是持久性方法实现的一部分,使用准备好的语句。

身份验证和授权的安全问题是跨领域的问题。如果您的语言支持它们,那么它们就属于方面。

I think data should be validated before you pass it to a persistence method.

Escaping should be part of the persistence method's implementation, using prepared statements.

Security issues of authentication and authorization are cross-cutting concerns. These belong in aspects if your language supports them.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文