直接在锚点内使用数据库列名称
我有一个简单的安全问题,但找不到答案。
基本上我想在某一列之后订购一个表。我这样做的方法是使用带有两个额外段的锚。目前,我在其中一个段(我想要订购的列)中使用实际的列名称,但在这里我开始思考。
这是处理的方法吗?对我来说,让人们访问我的一个表中的一些列名似乎确实存在巨大的安全风险。但另一方面,我当然会逃避一切,这样他们就无法做任何事情。不幸的是,我不是万能的,所以我可能会做错事,然后又回到安全风险;)
那么我该怎么做呢?我是否应该使用其他类型的名称,例如数字,稍后将其转换回列名称。还是我的方法没问题?
哦忘了说,我正在使用 codeigniter 进行 php 工作!
I have a simple security question which I just can't find the answer to.
Basically I want to order a table after a certain column. They way I do this is by using an anchor with two extra segments. At the moment I'm using the actual column name in one of the segment, the column I want to order, but here I started thinking.
Is this the way to handle it? Well to me it does seem like a huge security risk by giving people access to some of my column names in one of my tables. But on the other hand I will of course escape everything so they won't get any access to do anything. Unfortunately I'm not almighty so I might do something wrong and I'm back to the security risk ;)
So how do I do this? Should I use other kinds of names, like numbers, which I later convert back to the column name. Or is my way okey?
Oh forgot to say, I'm working in php with codeigniter!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可以为此使用白名单: 在 PHP 中创建一个哈希,将 ancor-column-names 映射到 database-column-names:
您也可以使用完全相同的名称,例如“firstname”映射到“firstname”。然后使用 ancor-column-name 从映射哈希中获取数据库列名称。如果 ancor-column-name 没有条目,则返回错误。这样,用户输入就得到验证。
You could use a whitelist for that: Create a hash in PHP which maps the ancor-column-names to the database-column-names:
You could also use exactly the same names, e.g. 'firstname' maps to 'firstname'. Then use the ancor-column-name to get the database-column-name from the mapping hash. If there is no entry for the ancor-column-name, return an error. That way, user-input is validated.
默默无闻的安全并不是安全。
许多网站都使用开源 PHP 应用程序,其中数据库表和列是已知的。我不记得这在攻击网站时很有用。如果你有 SQL 注入问题,你不应该关心你的用户知道你的表结构这一事实,你最好删除 SQL 注入点。
Security by obscurity is no security.
A ton of websites use open source php application which database tables and columns are known. And I don't recall this being very useful during attacks against websites. If you have a SQL injection problem you should not care about the fact your users know your table structures, you better remove the SQL injection point.