使用 utf-8 字符转义 shell/数据库
转义字符的首选顺序是什么?
例如在 PHP 环境中:
1) shell ->数据库 = 返回 escapeshellcmd(mysqli_real_escape_string($string));?
2)数据库-> shell = 返回 mysqli_real_escape_string(escapeshellcmd($string));?
3)完全没有区别吗?
更新
只是为了澄清一下,我目前正在尝试修复的网站包含许多旧的、已弃用的功能,使用 magic_quotes,并且在从旧主机转移到出现问题的当前主机后基本上无法使用。
第一个问题是 MySQL 转义,我用 mysql_real_escape_string(); 修复了这个问题,但是,CLI/Socket MySQL 连接环境的问题仍然存在。也就是说,当您在 textarea 内有一个引用 UNIX 命令的值(前面带有 / - 正斜杠符号)并将其发布时 - Apache 将导致 501 方法未实施。
所以是的,我必须转义 mysql 和转义 shell 命令。但是,shell 命令转义(以原始问题中的第 1 号示例)导致 UTF-8 字符制动并丢失大量所需的 HTML 符号。
需要转义的内容来自 WYSIWYG 编辑器 (SPAW),因此它包含大量引号,并且时不时包含一个 UNIX 命令,类似于我们的国家 - 拉脱维亚 - 货币。 “/ls”,其中 LS 是货币。
该网站是由客户自己更新的,而不是由技术人员更新的,而且必须保持这种状态——我的意思是,我们不能接管内容编辑。另外,虽然我们可以告诉他们不要使用 /ls,但 UNIX 问题仍然存在,例如,如果他们意外地访问了 /mkdir 可能类似于某物标识符的内容。
他们是一家活跃的旅游公司,因此需要尽快解决这个问题。由于我们接管了他们的网站,他们知道系统已损坏,但他们目前没有闲钱来花在新网站/修复当前网站上。我们得出的结论是修复它会更困难,因此比转移到我们的 CMS 更昂贵,但钱仍然是钱。
那么,如何从这个所见即所得编辑器的文本区域(这是一个字符串)转义 shell 和数据库命令,同时保留拉脱维亚字母的 UTF-8 编码 - ā、š、č、ž< /code> 等?
也许我不必同时逃避两者,这就是我问的原因。
提前致谢!
根据 Shrapnels 的请求更新
,一个示例字符串(从 SPAW 的 HTML 视图复制)将导致 Apache 响应 501:
<div>
<span style="color: rgb(0, 0, 128); " class="Apple-style-span">
<span style="font-size: 12px; " class="Apple-style-span">
/ls
</span>
</span>
</div>
SPAW 自动添加所有这些哑元素,是的,如果 / 是在字符串内,501!
这就是停止所需的全部内容,只是一个引用 UNIX 命令行函数的命名空间。就像本例中的 /ls 一样,但也可以是 /rmdir、/mkdir 等。您可以在没有 的情况下拥有 20000 个符号内容。 /ls 就可以了。一旦出现这样的事情——嘭,死了!
最初有一个函数旨在清除所有错误(至少我是这样认为的,它的原始名称是 - removeShit();):
$string = $_POST['wysiwyg_textarea']; // SPAW text area
function removeStuff($string){
return str_replace('/wysiwyg/empty.html', '', $txt);
}
文件 /wysiwyg/empty.html< /code> 是 0 字节 - 完全空的文件。
但这并不能解决 mysql 转义和/或 UNIX shell 命令识别问题。因此,我需要修复来逃避 UNIX 命令和任何 MySQL 有害的东西。
所以,我试图这样做:
return escapeshellcmd(mysqli_real_escape_string($string));
但这一个删除了所有 utf-8 字符,另外,所有新行符号都转换为简单的字符串“rn”,我猜 \r\n。
现在我正在寻找一个函数来逃避 MySQL 和 Shell cmd,因为我想不出另一种方法来解决所有这些混乱。
What is the preferred order for escaping characters?
For instance in PHP environment:
1) shell -> database = return escapeshellcmd(mysqli_real_escape_string($string));?
2) database -> shell = return mysqli_real_escape_string(escapeshellcmd($string));?
3) No difference at all?
Update
Just to clarify, the website I'm currently trying to fix, contains a lot of old, deprecated functions, uses magic_quotes and is basicly, unusable after the transfer from old host to current one, where the problems arose.
First problem was MySQL escaping, that I fixed with mysql_real_escape_string();, but, still the problem with CLI/Socket MySQL connection environment persists. That is, when you have a value inside a textarea that refers to a UNIX command, preceded by a / - forward slash symbol and you post it- Apache results in 501 Method Not Implemented.
So yes, I have to escape mysql, and escape shell commands. But, the shell command escaping (with example no. 1 from original question) resulted in UTF-8 character braking and losing lots of needed HTML symbols.
The content that needs to be escaped comes out of an WYSIWYG editor (SPAW), therefore it contains lot of quotes and from time to time a UNIX command, that resembles our nations - Latvia - currency. "/ls", where LS is the currency.
The website is updated by client itself, not a tech person and it has to stay that way- I mean, we cannot take over the content editing. Plus, while we could tell them not to use /ls the UNIX problem persists if, for example, they accidentally get to /mkdir what could resemble an identificator of something.
They are an active travel company, therefore this needs to be fixed ASAP. Since we overtook their website, they are aware that the system is broken, but they don't have free money at the moment to spend on a new website/fixing current one. Where we have made a conclusion that fixing it would be harder, therefore more expensive than to move over to our CMS, but money is still money.
So, how do I escape shell and database commands from this WYSIWYG editor's textarea, that is a single string, but, while preserving UTF-8 encoding of our Latvian alphabet letters - ā, š, č, ž etc.?
Maybe I don't have to escape both, that's why I'm asking.
Thanks in advance!
Update
On Shrapnels' request, an example string (copied from SPAW's HTML view) that would cause Apache to respond with 501:
<div>
<span style="color: rgb(0, 0, 128); " class="Apple-style-span">
<span style="font-size: 12px; " class="Apple-style-span">
/ls
</span>
</span>
</div>
SPAW automatically adds all these dumb elements, and yes, if /<command> is inside the string, 501!
And that's all what it takes to halt, just a namespace referring to a UNIX command line function. Like in this case /ls, but could be /rmdir, /mkdir etc. You could have 20000 symbol stuff there with no /ls and it'll work. Once there is something like this - bam, dead!
There was originally a function that was meant to clear all the errors (at least I suppose so, it's original name was - removeShit();):
$string = $_POST['wysiwyg_textarea']; // SPAW text area
function removeStuff($string){
return str_replace('/wysiwyg/empty.html', '', $txt);
}
The file /wysiwyg/empty.html is 0 bytes- completely empty file.
But this doesn't cure the mysql escaping and/or UNIX shell command recognition. Therefore, I need a fix to escape the UNIX commands and any MySQL harmful stuff.
So, I was trying to do it with:
return escapeshellcmd(mysqli_real_escape_string($string));
But this one strap out all the utf-8 characters, plus, all the new line symbols got converted to simple string "rn" from, I'd guess \r\n.
And now I'm looking for a function to escape MySQL and Shell cmd`s in one, because I cannot think of another way how to cure all this mess.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
两者都不。
使用
escapeshellcmd()或mysqli_real_escape_string(),具体取决于您计划对$string执行的操作。切勿同时使用两者。这没有意义。
Neither.
Use either
escapeshellcmd()ormysqli_real_escape_string(), depending on what you are planning to do with$string.Never use both at the same time. It wouldn't make sense.