当前位置: 文江博客话题详情

清理 PHP/SQL $_POST、$_GET 等...?

发布于 2024-12-20 05:40:31 字数 549 浏览 4 评论 0原文

好吧,这个主题是一个温床,我明白这一点。我还了解这种情况取决于您使用的代码。我有三种情况需要解决。

  1. 我有一个表单,我们需要允许人们使用逗号、波形符等发表评论和声明……但仍然免受攻击。

  2. 我有人用英语输入这样的日期:10/13/11 mm/dd/yy,这可以清理吗?

  3. 我如何理解如何正确使用 htmlspecialchars()htmlentities()real_escape_string()?我已经阅读了 php.net 网站和这里的一些帖子,但在我看来,这一切都取决于阅读问题的人的正确答案是什么。

我真的无法接受......必须有一个答案,其中可以净化与我在这里发布的文本格式类似的文本格式。我想知道这是否可能以及如何可能。

谢谢...因为在我看来,当在其他地方问这个问题时,它往往会让人烦恼...我正在学习我需要知道的东西,但我认为我已经在没有示例的情况下达到了我所能知道的水平它的目的是......

提前致谢。

原文

Ok, this subject is a hotbed I understand that. I also understand that this situation is dependent on what you are using as code. I have three situations that need to be resolved.

  1. I have a form in where we need to allow people to make comments and statements that use commas, tildes, etc... but still remain safe from attacks.

  2. I have people entering in dates like this: 10/13/11 mm/dd/yy in English, can this be sanitized?

  3. How do I understand how to use htmlspecialchars(), htmlentities() and real_escape_string() correctly? I've read the php.net site and some posts here but this seems to me to be a situation in where it all depends on the person reading the question what the right answer is.

I really can't accept that... there has to be an answer wherein text formats similar to that which I am posting here can be sanitized. I'd like to know if and how it is possible.

Thanks... because it seems to me that when asking this question in other places it tends to annoy... I am learning what I need to know but I think I have hit a plateau in what I can know without an example of what it is meant to do...

Thanks in advance.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

回眸一遍 2024-12-27 05:40:31

这是一个非常重要的问题,实际上它以编码的形式有一个简单的答案。您面临的问题是您同时使用多种语言。首先使用 HTML,然后使用 PHP,几秒钟后使用 SQL。所有这些语言都有自己的语法规则。

要记住的是:字符串应该始终采用正确的编码。

让我们举个例子。您有一个 HTML 表单,用户在其中输入以下字符串:

Ially <3 dogs & cats ;')

按提交按钮后,该字符串将被发送到您的 PHP 脚本。假设这是通过 GET 完成的。它被附加到 URL,该 URL 有自己的语法(例如 & 字符具有特殊含义),因此我们正在更改语言。这意味着必须将字符串转换为正确的 URL 编码。在这种情况下,浏览器会执行此操作,但 PHP 也有一个 urlencode 函数来执行此操作。

在 PHP 脚本中,字符串存储在 $_GET 中,编码为 PHP 字符串。只要您编写 PHP 代码,就完全没问题。但现在让我们将该字符串用于 SQL 查询。我们改变了语言和语法规则,因此必须通过mysql_real_escape_string函数将字符串编码为SQL。

在另一端,我们可能想再次将字符串显示给用户。我们从数据库中检索该字符串,并将其作为 PHP 字符串返回给我们。当我们想要将其嵌入 HTML 中进行输出时,我们将再次更改语言,因此我们必须通过 htmlspecialchars 函数将字符串编码为 HTML。

在整个过程中,字符串始终采用正确的编码,这意味着用户可以想到的任何字符都将得到相应的处理。一切都应该顺利且安全地进行。

要避免的一件事(有时无知的人甚至会建议这样做)是过早地对字符串进行编码。例如,您可以在将字符串放入数据库之前将 htmlspecialchars 应用于字符串。这样,当您稍后从数据库检索字符串时,您可以将其粘贴到 HTML 中,没有问题。听起来很棒吗?是的,真的很棒,直到您开始收到人们的支持票,他们想知道为什么他们的 PDF 收据充满了 & 。 > 垃圾。

在代码中:

form.html:

<form action="post.php" method="get">
    <textarea name="comment">
        I really <3 dogs & cats ;')
    </textarea>
    <input type="submit"/>
</form>

它生成的URL:

http://www.example.org/form.php?comment=I%20really%20%3C3%20dogs%20&%20cats%20;')

post.php:

// Connect to database, etc....

// Place the new comment in the database
$comment = $_GET['comment']; // Comment is encoded as PHP string

// Using $comment in a SQL query, need to encode the string to SQL first!
$query = "INSERT INTO posts SET comment='". mysql_real_escape_string($comment) ."'";
mysql_query($query);

// Get list of comments from the database
$query = "SELECT comment FROM posts";

print '<html><body><h2>Posts</h2>';
print '<table>';

while($post = mysql_fetch_assoc($query)) {
    // Going from PHP string to HTML, need to encode!
    print '<tr><td>'. htmlspecialchars($post['comment']) .'</td></tr>';
}

print '</table>';
print '</body></html>'

It's a very important question and it actually has a simple answer in the form of encodings. The problem you are facing it that you use a lot of languages at the same time. First you are in HTML, then in PHP and a few seconds later in SQL. All these languages have their own syntax rules.

The thing to remember is: a string should at all times be in its proper encoding.

Lets take an example. You have a HTML form and the user enters the following string into it:

I really <3 dogs & cats ;')

Upon pressing the submit button, this string is being send to your PHP script. Lets assume this is done through GET. It gets appended to the URL, which has its own syntax (the & character has special meaning for instance) so we are changing languages. This means the string must be transformed into the proper URL-encoding. In this case the browser does it, but PHP also has an urlencode function for that.

In the PHP script, the string is stored in $_GET, encoded as a PHP string. As long as you are coding PHP, this is perfectly fine. But now lets put the string to use in a SQL query. We change languages and syntax rules, therefore the string must be encoded as SQL through the mysql_real_escape_string function.

At the other end, we might want to display the string back to the users again. We retrieve the string from the database and it is returned to us as a PHP string. When we want to embed it in HTML for output, we're changing languages again so we must encode our string to HTML through the htmlspecialchars function.

Throughout the way, the string has always been in the proper encoding, which means any character the user can come up with will be dealt with accordingly. Everything should be running smooth and safe.

A thing to avoid (sometimes this is even recommended by the ignorant) is prematurely encoding your string. For instance, you could apply htmlspecialchars to the string before putting it in the database. This way, when you retrieve the string later from the database you can stick it in the HTML no problem. Sound great? Yeah, really great until you start getting support tickets of people wondering why their PDF receipts are full of & > junk.

In code:

form.html:

<form action="post.php" method="get">
    <textarea name="comment">
        I really <3 dogs & cats ;')
    </textarea>
    <input type="submit"/>
</form>

URL it generates:

http://www.example.org/form.php?comment=I%20really%20%3C3%20dogs%20&%20cats%20;')

post.php:

// Connect to database, etc....

// Place the new comment in the database
$comment = $_GET['comment']; // Comment is encoded as PHP string

// Using $comment in a SQL query, need to encode the string to SQL first!
$query = "INSERT INTO posts SET comment='". mysql_real_escape_string($comment) ."'";
mysql_query($query);

// Get list of comments from the database
$query = "SELECT comment FROM posts";

print '<html><body><h2>Posts</h2>';
print '<table>';

while($post = mysql_fetch_assoc($query)) {
    // Going from PHP string to HTML, need to encode!
    print '<tr><td>'. htmlspecialchars($post['comment']) .'</td></tr>';
}

print '</table>';
print '</body></html>'
回复 原文
少跟Wǒ拽 2024-12-27 05:40:31

关键是要了解您可以使用的每种消毒功能的用途以及何时使用。例如,数据库转义函数旨在使数据可以安全地插入数据库,并且应该这样使用;但 HTML 转义函数旨在中和恶意 HTML 代码(如 JavaScript),并确保输出数据供用户查看是安全的。在正确的时间清理正确的内容。*

  • 您可以采取两种不同的基本方法:您可以在收到 HTML 时对其进行清理,或者您可以将其完全按收到时的样子存储,并仅在需要输出时对其进行清理给用户。这些方法中的每一种都有其支持者,但第二种方法可能最不容易出现问题(对于第一种方法,如果在清理过程中发现缺陷并且您发现数据库中存储的内容清理不充分,您会怎么做?)

可以使用日期解析函数来清理日期。在 PHP 中,您可以查看 strtotime()。您的目标通常是获取日期的字符串表示形式并输出表示日期的对象,或以规范方式(即:以特定格式)表示相同日期的另一个字符串。

The crucial thing is to understand what each sanitising function available to you is for, and when it should be used. For example, database-escaping functions are designed to make data safe to insert into the database, and should be used as such; but HTML-escaping functions are designed to neutralise malicious HTML code (like JavaScripts) and make it safe to output data for your users to view. Sanitise the right thing at the right time.*

  • There are two different basic approaches you can take: you can sanitise HTML when you receive it, or you can store it exactly as you received it and sanitise it only when it is time to output it to the user. Each of these methods has its proponents, but the second one is probably the least prone to problems (with the first one, what do you do if a flaw is discovered in your sanitising procedure and you find you have insufficiently sanitised content stored in your database?)

Dates can be sanitised using a date parsing function. In PHP you might look at strtotime(). Your objective is typically to take a string representation of a date and output either an object representing a date, or another string that represents the same date in a canonical way (that is: in a specific format).

回复 原文
耳钉梦 2024-12-27 05:40:31

关于日期清理,PHP 有一些内置函数可以提供帮助。 strtotime() 函数会将几乎任何可以想象到的日期/时间格式转换为 Unix 时间戳,然后可以将其传递给 date() 函数以将其转换为您喜欢的任何格式。

例如:

$date_sql = date( "Ymd", strtotime( $_POST["date"] ) );

Regarding the sanitization of dates, PHP has some built-in functions that can be helpful. The strtotime() function will convert just about any imaginable date/time format into a Unix timestamp, which can then be passed to the date() function to convert it to whatever formatting you like.

For example:

$date_sql = date( "Y-m-d", strtotime( $_POST["date"] ) );

回复 原文
~没有更多了~

关于作者

眉黛浅

暂无简介

文章
评论
678 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

燃烧我的卡路李先生

文章 0 评论 0

qq_2gSKZM

文章 0 评论 0

∞梦里开花

文章 0 评论 0

qq_IklFPL

文章 0 评论 0

迷途知返

文章 0 评论 0

深海不蓝

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文