防止 SQL 注入和 XSS 的 PHP 函数
我试图让我的 PHP 尽可能安全,我试图避免的两件事是
- mySQL 注入
- 跨端脚本 (XSS)
这是我针对 mySQL 注入得到的脚本:
function make_safe($variable) {
$variable = mysql_real_escape_string(trim($variable));
return $variable; }
http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/
针对XSS,我发现this:
$username = strip_tags($_POST['username']);
现在我想将两者合并为一个函数。这是最好的方法吗? :
function make_safe($variable) {
$variable = strip_tags(mysql_real_escape_string(trim($variable)));
return $variable; }
或者 mysql_real_escape_string 已经防止了 XSS 吗?最后,我还可以在该函数中添加其他内容来防止其他形式的黑客攻击吗?
I am tring to make my PHP as secure as possible, and the two main things I am trying to avoid are
- mySQL Injections
- Cross-Side Scripting (XSS)
This is the script I got against mySQL Injections:
function make_safe($variable) {
$variable = mysql_real_escape_string(trim($variable));
return $variable; }
http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/
Against XSS, I found this:
$username = strip_tags($_POST['username']);
Now I want to unite the two into a single function. Would this be the best way to do so? :
function make_safe($variable) {
$variable = strip_tags(mysql_real_escape_string(trim($variable)));
return $variable; }
Or does the mysql_real_escape_string already prevent XSS? And lastly, is there anything else that I could add into this function to prevent other forms of hacking?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
mysql_real_escape_string() 不能防止 XSS。这只会让 SQL 注入变得不可能。
要对抗 XSS,您需要使用 htmlspecialchars() 或 strip_tags()。第一个会将
<等特殊字符转换为<,这些字符将显示为<,但不会被执行。第二,去掉所有标签。我不建议创建特殊的函数来完成这一切,甚至不建议创建一个函数来完成这一切,但您给出的示例会起作用。我认为。
mysql_real_escape_string() doesn't prevent XSS. It will only make impossible to do SQL injections.
To fight XSS, you need to use htmlspecialchars() or strip_tags(). 1st will convert special chars like
<to<that will show up as<, but won't be executed. 2nd just strip all tags out.I don't recommend to make special function to do it or even make one function to do it all, but your given example would work. I assume.
此功能:
不起作用
SQL 注入和 XSS 是两种不同的野兽。因为它们各自需要不同的转义,所以您需要分别使用每个转义函数
strip_tags和mysql_real_escape_string。将他们联合起来将会破坏每个人的安全。
将数据输入数据库时使用标准
mysql_real_escape_string()。在将内容输出到屏幕之前从数据库中查询内容时,请使用
strip_tags()。为什么组合这两个函数是危险的
来自马口:http://php.net/manual/en/function。条带标签.php
因此,通过将格式错误的 html 输入到数据库字段,聪明的攻击者可以使用您的幼稚实现来击败组合中的
mysql_real_escape_string()。This function:
Will not work
SQL injection and XSS are two different beasts. Because they each require different escaping you need to use each escape function
strip_tagsandmysql_real_escape_stringseparatly.Joining them up will defeat the security of each.
Use the standard
mysql_real_escape_string()when inputting data into the database.Use
strip_tags()when querying stuff out of the database before outputting them to the screen.Why combining the two function is dangerous
From the horses mouth: http://php.net/manual/en/function.strip-tags.php
So by inputting malformed html into a database field a smart attacker can use your naive implementation to defeat
mysql_real_escape_string()in your combo.您真正应该研究的是使用 准备好的语句 和 PDO 既提供针对数据库的抽象层,又完全消除 SQL 注入攻击。
至于 XSS,只需确保永远不要信任用户输入即可。运行 strip_tags 或 htmlentities 当您存储数据或输出数据时(不要两者都使用,因为这会扰乱您的输出),然后就可以了。
What you should really be looking into is using prepared statements and PDO to both provide an abstraction layer against your database as well as completely eradicate SQL injection attacks.
As for XSS, just make sure to never trust user input. Either run strip_tags or htmlentities when you store the data, or when you output it (not both as this will mess with your output), and you'll be all right.