消毒?当它既不输出为 HTML 也不进入 SQL 查询时
查看一些网站后(例如 https://www.owasp.org/index.php/Main_Page< /a>) 我发现没有明确提及以下过程会给我带来哪些危险;
用户回答多项选择题。发送带有“答案”作为隐藏字段的表单。
.php 页面获取它(验证它少于 100 个字符),然后从数据库中获取正确答案。它比较两者(使用 == 比较运算符)。
然后发送
echo "Wrong! The correct answer is ".$correctAnswer; //a hack presumably will always be wrong!!!
基本上,让用户输入(最多 100 个字符)陷入
$playersAnswer = $_POST['checkAnswer'];
and
if ($correctAnswer == $playersAnswer){ ....etc
可能会造成什么损害。对我来说,优点是我不必担心用户答案中的任何字母/符号/字符被删除或转换。因此我可以毫无畏惧地使用带有完整标点符号的问题、外语问题甚至有关 javascript 的问题!
After looking through some sites (eg https://www.owasp.org/index.php/Main_Page) I found no EXPLICIT mention of what hazards the following process would open me up to;
A user answers a multiple choice question. Sending a form with the "answer" as a hidden field.
The .php page takes it (validates it to have less than 100 characters), then takes the Correct Answer from the database. It compares the two (using == comparison operator).
then sends
echo "Wrong! The correct answer is ".$correctAnswer; //a hack presumably will always be wrong!!!
Basically, what damage could there possibly be with letting userinput (up to 100 characters) get stuck into
$playersAnswer = $_POST['checkAnswer'];
and
if ($correctAnswer == $playersAnswer){ ....etc
The advantage for me is that I need not worry about any letters/symbols/characters in the user's answer being stripped or converted. Therefore I can use questions with full punctuation, foreign languages and even questions about javascript wwithout fear!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您所做的只是在比较中使用 POST 变量:
则没有危险。
危险从您使用变量的地方开始 - 在 HTML 输出中、在数据库查询中、在
exec()或eval()命令中。 ....If all you do is use the POST variable in a comparison:
there is no danger to this.
The danger begins where you use the variable - in HTML output, in a database query, in an
exec()oreval()command.....