对表单保护(HTML、PHP)感到困惑
这对某人来说太容易了。我刚刚花了 6 个小时阅读,现在我觉得自己真的很愚蠢,但是嘿...我正在学习,所以我想 - 我会问你们!我在这里看到了一些关于其他事情的优秀例子,所以我想......为什么不问呢。我确信我真正想要的只是有点简单......我有一个表单,有人填写数据,我通过 JS 检查它的有效性,我检查 PHP 的有效性,我保护 SQL。一切都很好。不能正常工作的是...如果 PHP 失败并且页面重新加载...我在 HTML 中有以下内容,我相信你们中的一些人熟悉...
<textarea name="comments" maxlength="1024" rows="6" cols="45" wrap="VIRTUAL" id="field_comments" onblur="CheckField(name, 1, 0)"><?php echo $_POST['comments']; ?></textarea>
PHP 输出之前在表单中输入的任何内容事先通过 echo...实际上很简单。它工作得很好,因为我的 JS 和 PHP 用来剥离除 a-zA-Z0-9 等以外的任何内容。我的朋友说我应该允许输入和转义几乎所有内容。好的,没问题。我转义了它,但是当我输入单引号或双引号(测试将奇怪的东西放入字段中)并且它重新绘制它时 - 它保留了转义的东西。例如..我输入
“Dave”然后返回
“Dave”
,如果我再次点击提交..我得到...
\\'Dave\\'等等...
我可以将其返回到只是在表单字段中输入“Dave”而不编写自己的自定义函数来执行此操作?或者我必须这样做吗?
如果您想查看我制作的示例,我有一个示例测试页,显示了我正在修改的内容。
http://newmainpcs.perrycs.com/testForm.php
任何帮助都会很棒!我尝试对它们进行解码并重新编码...我的主网站是 UTF-8 - 该示例并没有真正显示我的主网站,但我编写了这个小 testForm.php 来尝试解决这个问题!哈哈。我可以用 HTML 或 PHP 来完成。 PHP 可能会更容易,因为这就是实际 REAL 验证的核心所在,因为 JS 可以关闭。如果您愿意,我可以给您代码片段。但是,我相信你会明白我想说的。
感谢您的帮助!
大卫·佩里 佩里CS 佩里计算机服务 (曾经是一位了不起的汇编语言程序员......这就是当你 17 年以上不编程时会发生的情况)。哈哈。坚持简单的事情。
this will be so easy for someone. I just spent 6 hours reading and I feel really stupid right now but hey... I'm learning so I thought - I'll ask you guys! I've seen some excellent examples on here for other things so I figured... why not ask. All I really want is kinda simple I'm sure... I have a form, someone fills in data, I check it via JS for validity, I check in PHP for validity, I protect the SQL. That all works fine. What doesn't work fine is... if the PHP fails and the page reloads... I have in the HTML the following which I'm sure some of you are familiar with..
<textarea name="comments" maxlength="1024" rows="6" cols="45" wrap="VIRTUAL" id="field_comments" onblur="CheckField(name, 1, 0)"><?php echo $_POST['comments']; ?></textarea>
The PHP outputs anything previously typed into the form beforehand via the echo... Easy actually. It works great because my JS and PHP USED to strip anything off that wasn't a-zA-Z0-9 etc. My friend says I should allow pretty much anything to be entered and to escape it. Ok, no problem. I escape it but when I put a single quote or double quote (testing putting weird things into the field) and it redraws it - it keeps the escaped stuff. For example.. I enter
'Dave' and I get back
\'Dave\'
and if I hit submit again.. I get...
\\'Dave\\' and so on...
Can I get it back to just 'Dave' in the form field without writing my own custom function to do that? Or is that how I have to do it?
I have a sample test page showing what I was tinkering with if you want to see the example I made.
http://newmainpcs.perrycs.com/testForm.php
Any help would be great! I tried undecoding them the reencoding them... My main website is UTF-8 - the example doesn't really show my main site but I wrote this tiny testForm.php to try and figure this out! lol. I can do it in HTML or PHP. PHP would probably be easier since thats where the heart of the actual REAL validation is since JS can be turned off. I can give you snippits of code if you like. But, I'm sure you'll get what I'm trying to say.
Thank you for your help!
David Perry
PerryCS
Perry Computer Services
(used to be an amazing assembly language programmer... this is what happens when you don't program for 17+ years). lol. Stuck on the simple things.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
您要么激活了
magic_quotes,要么使用addslashes转义太多。请改用数据库层的引用功能,即mysqli_escape_string。PHP 5.4 终于摆脱了魔术引号 - 你也应该这样做:)
我认为你的问题是你做了太多的事情来确保你的应用程序安全。
您基本上只需要:
htmlspecialchars($row_from_database)这样,您就可以安全地抵御 SQL 注入 (#1) 和 XSS (#2)。
魔术引号尝试为那些不关心转义输入的人进行#1 中的转义,但这只是半心半意的(魔术引号!= 数据库层引用) - 它可以被利用,尽管它比没有魔术引号更难。
将它们删除
为 http://www.php.net/manual/en/ security.magicquotes.what.php 指出,
首先,使用
get_magic_quotes_gpc()检查它们是否处于活动状态。 true 表示您的输入已被转义。然后对您正在使用的输入变量运行
stripslashes()。You have either have
magic_quotesactivated, or you escape too much withaddslashes. Use your database layer's quoting functionality instead, i.e.mysqli_escape_string.PHP 5.4 finally got rid of magic quotes - something that you should do, too :)
I think your problem is that you are doing too many things to make your application safe.
You basically only need to:
htmlspecialchars($row_from_database)With that, you're safe against SQL Injection (#1) and XSS (#2).
Magic quotes try to do the escaping in #1 for people who don't care about escaping input, but that's only half-hearted (magic quotes != db layer quoting) - it can be exploited, even though it's harder than without magic quotes.
removing them
As http://www.php.net/manual/en/security.magicquotes.what.php states,
First, check if the are active with
get_magic_quotes_gpc(). A true indicates your input has been escaped already.Then run
stripslashes()on the input variables you're working with.当您将文本输出到 HTML 流的中间时,您必须小心地根据该文本在该 HTML 流中的确切输出位置对该文本进行编码。
对于在 HTML 属性中输出的文本,您需要一种编码函数(例如,将
"替换为\"等)。对于作为 HTML 元素的文本内容输出的文本,您需要另一个编码函数(例如,将<替换为<等)。When you output text into the middle of an HTML stream, you have to be careful to encode that text according to where exactly it is being outputted within that HTML stream.
For text being outputted within an HTML attribute, you need one encoding function (e.g. replacing
"with\"etc). For text being outputted as the text content of an HTML element, you need another encoding function (e.g., replacing<with<etc).要保护 SQL 中的输入,请使用 SQL 转义函数,例如 mysql_real_escape_string。
当您想要保护输入免受 XSS 影响(以 HTML 重新显示输入时),请使用 htmlentities()。
另外,请使用 phpinfo() 检查服务器上是否启用了 gpc_magic_quotes。如果是这样,请在 php.ini 文件中禁用它。
To protect input in SQL, use an SQL escaping function like mysql_real_escape_string.
When you want to protect input against XSS (when redisplaying it in HTML), use htmlentities().
Also, check to see if you have gpc_magic_quotes enabled on your server using phpinfo(). If so, disable it in your php.ini file.
一些基本代码:
然后在 HTML 中:
Some basic code:
And then in your HTML: