当前位置: 文江博客话题详情

Codeigniter 输出和输入安全

发布于 2024-12-09 01:59:56 字数 296 浏览 5 评论 0原文

如果用户提交文本,当输出到页面时,您在输入和输出中使用什么文本过滤器?

据我了解,使用 $this->input->post('something',true) 将从输入数据中清除 XSS 内容,因此无需执行其他操作即可确保安全?像 htmlspecialchars()strip_tags() 等?

另外我想知道 htmlspecialchars() 是否很好用,为什么 CI 安全库默认不将 htmlspecialchars() 应用到传递的字符串?

原文

In case of user submitted text, when outputting to the page, what text filter do you use both in input and output?

As I understand it, using $this->input->post('something',true) will clean XSS content from the input data, so there is no other thing to do to be secure? Something like htmlspecialchars(), strip_tags(), etc.?

Also i would like to know if for example htmlspecialchars() is good to use, why CI security library doesn't applyes htmlspecialchars() by default to the passed string?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

青衫负雪 2024-12-16 01:59:56

您应该使用 form_validation 库。您可以进行基于规则的检查和过滤。这是验证输入数据的更可靠的方法。

以下是内置规则,任何采用一个参数的定义函数都可以用作过滤器/规则。

required
matches
min_length
max_length
exact_length
greater_than
less_than
alpha
alpha_numeric
alpha_dash
numeric
integer
decimal
is_natural
is_natural_no_zeroetc    
valid_email
valid_emails
valid_ip
valid_base64

You should use the form_validation library. You can do rule based checking and filtering. This is a much more robust way of validating input data.

Here are the built in rules and any defined function that takes one parameter can be used as a filter/rule.

required
matches
min_length
max_length
exact_length
greater_than
less_than
alpha
alpha_numeric
alpha_dash
numeric
integer
decimal
is_natural
is_natural_no_zeroetc    
valid_email
valid_emails
valid_ip
valid_base64
回复 原文
春风十里 2024-12-16 01:59:56

有点取决于您对此输入执行的操作,但很可能您还希望通过 htmlspecialchars() 运行该字符串。

Kinda depends on what you're doing with this input, but most likely you're going to want to run the string through htmlspecialchars() also.

回复 原文
情深已缘浅 2024-12-16 01:59:56

据我了解,您希望将用户提交的文本存储在数据库中,然后将其显示在页面上 - 有点像基本的评论系统或其他东西。您只是不希望输出时任何顽皮/不完整的 HTML 字符破坏您的页面。

每当您有用户提交的数据时,您都希望利用 form_validation 库来尽可能地清理和净化它,作为一种良好的安全措施。如果它进入您的数据库,您应该使用 Active Records 或 Query Binding 从 Codeigniter 获得额外的安全性,例如转义字符串等。

让我展示一下在网站上提交和输出用户输入的解决方案。可能有更好的方法来做到这一点,但这将完成工作。

<?php

/*Controller
**************************************************/

class Something extends CI_Controller {

     function comments_or_whatever() {
         //Required -> trim value -> max_length of 100 -> strip HTML tags -> remove additional HTML entities missed by strip tags
        $this->form_validation->set_rules('input_1', 'The First User Input', 'required|trim|max_length[100]|xss_clean|strip_tags|callback__remove_html_entities');
        $this->form_validation->set_rules('input_2', 'The Second User Input', 'trim|exact_length[11]|xss_clean|strip_tags|callback__remove_html_entities');

        if ($this->form_validation->run() == FALSE) {
                //form didn't validate.. try again display error messages
                $this->load->view('your_view');
            }
        } else {
            $input_1 = $this->input->post('input_1');
            $input_2 = $this->input->post('input_2');

            $submission_array = array(
                        'db_field_1' => $input_1,
                        'db_field_2' => $input_2
                        );
            $this->load->model('comments');
            $result = $this->comments->submit_comments_or_whatever($submission_array);

            if ($result['is_true'] == TRUE) {
                //creates a temporary flash message and redirects to current page
                //if on a windows server use 'refresh' instead of 'location'
                $this->session->set_flashdata('message', '<div class="message">'.$result['message'].'</div>');
                redirect('something', 'location');
            } else {
                $data['message'] = $result['message'];
                $this->load->view('your_view', $data);
            }
        }
    }

    // Very important to get rid calling HTML Entities via HTML number codes such as < etc. Strip_tags does not do this.
    // This is privately called during validation from the callback__remove_html_entities custom callback
    function _remove_html_entities($submission) {
        $submission = preg_replace("/&#?[a-z0-9]{2,8};/i","",$submission);
        return $submission;
    }
}

/* Model
 ****************************************/
class Comments extends CI_Model {

    function submit_comments_or_whatever($submission_array) {
        // Active record escapes string and does additional security 
        $query = $this->db->insert('comments', $submission_array);

        if ($query == TRUE) {
            $data['is_true'] = TRUE;
            $data['message'] = 'Your message has been successfully shared!';
            return $data;
        } else {
            $data['is_true'] = FALSE;
            $data['message'] = 'Sorry, but there was an error dude inserting your message into the database.';
            return $data;
        }
    }
}

/* View -> your_view.php
****************************************/

<?php echo validation_errors('<div class="message">', '</div>'); ?>
<?php echo $this->session->flashdata('message'); ?>
<?php if (!empty($message)) echo '<div class="message">'.$message.'</div>'; ?>




<?php echo form_open('something/comments_or_whatever'); ?>

<?php echo form_label('The First User Input', 'input_1'); ?><br>
<?php $input_1_form = array('name' => 'input_1', 'id' => 'input_1', 'value' => set_value('input_1')); ?>
<?php echo form_input($input_1_form); ?><br>

<?php echo form_label('The Second User Input', 'input_2'); ?><br>
<?php $input_2_form = array('name' => 'input_2', 'id' => 'input_2', 'value' => set_value('input_2')); ?>
<?php echo form_input($input_2_form); ?><br>

<?php echo form_submit('submit', 'Dude, submit my user inputed text!'); ?>
<?php echo form_close(); ?>

此代码假设您自动加载表单验证、会话、数据库库和表单助手。现在,在表单验证期间,使用自定义正则表达式回调将所有用户输入的数据剥离为最少的纯文本。所有顽皮的 HTML 字符都已完全消失/清理。现在,您可以放心地将提交的数据输出到网页上的任何位置,而不会破坏或产生安全问题。

仅执行 HTMLSpecialChars() 和 html 解码的问题是它没有考虑不完整的 HTML 标记。希望这会有所帮助,祝你好运,而且一如既往,没有什么是完全安全的。

To my understanding, you would like to store user submitted text in a database, and then later display it on a page -- kind of like a basic commenting system or something. You just don't want any naughty/incomplete HTML characters breaking your page when outputting it.

Whenever you have user submitted data, you want to utilize the form_validation library to clean it up and sanitize it as much as possible as a good security measure. If it goes to your database, you should use Active Records or Query Binding to get additional security from Codeigniter, such as escaping the strings, etc.

Let me show my solution on submitting and outputting user's input on a website. There are probably better ways to do this, but this will get the job done.

<?php

/*Controller
**************************************************/

class Something extends CI_Controller {

     function comments_or_whatever() {
         //Required -> trim value -> max_length of 100 -> strip HTML tags -> remove additional HTML entities missed by strip tags
        $this->form_validation->set_rules('input_1', 'The First User Input', 'required|trim|max_length[100]|xss_clean|strip_tags|callback__remove_html_entities');
        $this->form_validation->set_rules('input_2', 'The Second User Input', 'trim|exact_length[11]|xss_clean|strip_tags|callback__remove_html_entities');

        if ($this->form_validation->run() == FALSE) {
                //form didn't validate.. try again display error messages
                $this->load->view('your_view');
            }
        } else {
            $input_1 = $this->input->post('input_1');
            $input_2 = $this->input->post('input_2');

            $submission_array = array(
                        'db_field_1' => $input_1,
                        'db_field_2' => $input_2
                        );
            $this->load->model('comments');
            $result = $this->comments->submit_comments_or_whatever($submission_array);

            if ($result['is_true'] == TRUE) {
                //creates a temporary flash message and redirects to current page
                //if on a windows server use 'refresh' instead of 'location'
                $this->session->set_flashdata('message', '<div class="message">'.$result['message'].'</div>');
                redirect('something', 'location');
            } else {
                $data['message'] = $result['message'];
                $this->load->view('your_view', $data);
            }
        }
    }

    // Very important to get rid calling HTML Entities via HTML number codes such as < etc. Strip_tags does not do this.
    // This is privately called during validation from the callback__remove_html_entities custom callback
    function _remove_html_entities($submission) {
        $submission = preg_replace("/&#?[a-z0-9]{2,8};/i","",$submission);
        return $submission;
    }
}

/* Model
 ****************************************/
class Comments extends CI_Model {

    function submit_comments_or_whatever($submission_array) {
        // Active record escapes string and does additional security 
        $query = $this->db->insert('comments', $submission_array);

        if ($query == TRUE) {
            $data['is_true'] = TRUE;
            $data['message'] = 'Your message has been successfully shared!';
            return $data;
        } else {
            $data['is_true'] = FALSE;
            $data['message'] = 'Sorry, but there was an error dude inserting your message into the database.';
            return $data;
        }
    }
}

/* View -> your_view.php
****************************************/

<?php echo validation_errors('<div class="message">', '</div>'); ?>
<?php echo $this->session->flashdata('message'); ?>
<?php if (!empty($message)) echo '<div class="message">'.$message.'</div>'; ?>




<?php echo form_open('something/comments_or_whatever'); ?>

<?php echo form_label('The First User Input', 'input_1'); ?><br>
<?php $input_1_form = array('name' => 'input_1', 'id' => 'input_1', 'value' => set_value('input_1')); ?>
<?php echo form_input($input_1_form); ?><br>

<?php echo form_label('The Second User Input', 'input_2'); ?><br>
<?php $input_2_form = array('name' => 'input_2', 'id' => 'input_2', 'value' => set_value('input_2')); ?>
<?php echo form_input($input_2_form); ?><br>

<?php echo form_submit('submit', 'Dude, submit my user inputed text!'); ?>
<?php echo form_close(); ?>

This code assumes you autoload the Form Validation, Sessions, and Database Libraries and the Form Helper. Now, all your user inputed data is stripped to a bare minimum of plain text using a custom Regular Expression call back during form validation. All naughty HTML characters are gone/sanitized, completely. You can now be worry-free to output the submitted data anywhere you'd like on a webpage without it breaking or being a security concern.

The problem with just doing HTMLSpecialChars() and html decode is it doesn't account for incomplete HTML tags. Hopefully this helps, best of luck dude, and as always, nothing is ever completely secure.

回复 原文
~没有更多了~

关于作者

余厌

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

十二

文章 0 评论 0

飞烟轻若梦

文章 0 评论 0

OPleyuhuo

文章 0 评论 0

wxb0109

文章 0 评论 0

旧城空念

文章 0 评论 0

-小熊_

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文