当前位置：文江博客话题详情

如何防止注入（html、php）？

发布于 2025-01-01 06:17:13 字数 633 浏览 0 评论 0原文

可能的重复：
最佳实践是什么避免 PHP 站点中的 xss 攻击

我有一个 </code> 和一个 <code><input></code> 用于我网站的评论。显然，我在界面页面中<code>echo</code>它们并插入到我的数据库中。

我想知道，当有人注入（例如）来损坏页面或发送查询来损坏数据库时，我必须做什么？

有什么简单的方法呢？

我尝试搜索 < > ' " drop using 但是虽然我使用了 \" 而不是 " 但它不起作用，在 PHP 中，我遇到了错误。

正在搜索这些手动输入字符的最佳方法（PHP 和 Javascript）？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

旧伤还要旧人安 2025-01-08 06:17:13

您想要实现的是防止某种形式的XSS（跨站点脚本攻击）攻击。您正试图阻止持续的变化：

持久性（或存储性）XSS 漏洞更具破坏性
跨站点脚本缺陷的变体：当数据
攻击者提供的信息被服务器保存，然后永久保存
显示在返回给其他用户的“正常”页面上
常规浏览，没有正确的 HTML 转义。一个经典的例子
这是在线留言板，允许用户发帖
HTML 格式的消息供其他用户阅读。

有很多选择可以防止它们。 OWASP 有一个简洁的解释。。通过它并找出答案。但大多数情况下，这是一个需要个人单独处理的大问题。

最好的方法是使用 HTMLPurifier，它既简单又容易。可能会有点慢。但额外的处理是值得的。给你一个例子，说明它的使用是多么简单，这里是一个基本代码：

<?php
    require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';

    $config = HTMLPurifier_Config::createDefault();
    $purifier = new HTMLPurifier($config);
    $clean_html = $purifier->purify($dirty_html);
?>

PS：HTMLPurifier有“白名单”选项。利用它来发挥你的优势。

例如，您可以微调允许的元素和属性，
将相对 URL 转换为绝对 URL，甚至自动段落输入
文本！它们分别是 %HTML.Allowed、%URI.MakeAbsolute 和
%URI.Base 和 %AutoFormat.AutoParagraph。 %命名空间.指令
命名约定翻译为：
$config->set('Namespace.Directive', $value);
例如
$config->set('HTML.Allowed', 'p,b,a[href],i');
$config->set('URI.Base', 'http://www.example.com');
$config->set('URI.MakeAbsolute', true);
$config->set('AutoFormat.AutoParagraph', true);

编辑：

要回答有关阻止格式错误的 SQL 注入攻击的问题，请参阅此问题：如何防止 PHP 中的 SQL 注入？和这个回答

引用:

Use prepared statements and parameterized queries. These are SQL statements that sent to and parsed by the database server separately from any parameters.

If you use PDO you can work with prepared statements like this:

$preparedStatement = $db->prepare('SELECT * FROM employees WHERE name = :name');

$preparedStatement->execute(array(':name' => $name));

$rows = $preparedStatement->fetchAll();
where $db is a PDO object, see the PDO documentation. The mysqli class also provides parameterized queries.

What you are trying to acheive is to prevent a form of XSS (Cross site scripting attacks) attacks. You are trying to prevent the persistent variety:

The persistent (or stored) XSS vulnerability is a more devastating
variant of a cross-site scripting flaw: it occurs when the data
provided by the attacker is saved by the server, and then permanently
displayed on "normal" pages returned to other users in the course of
regular browsing, without proper HTML escaping. A classic example of
this is with online message boards where users are allowed to post
HTML formatted messages for other users to read.

There are numerous options to prevent them. OWASP has a neat explanation.. Go through it and find out. But mostly its a very big problem for an Individual to handle solely.

The best way is to use HTMLPurifier which is both simple and easy. It may be a bit slow. But the extra processing is worth it. To give you an example of how simple it is to use here is a basic code:

<?php
    require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';

    $config = HTMLPurifier_Config::createDefault();
    $purifier = new HTMLPurifier($config);
    $clean_html = $purifier->purify($dirty_html);
?>

PS: HTMLPurifier has options to "whitelist". Use that for your advantage.

For example, you can fine tune allowed elements and attributes,
convert relative URLs to absolute ones, and even autoparagraph input
text! These are, respectively, %HTML.Allowed, %URI.MakeAbsolute and
%URI.Base, and %AutoFormat.AutoParagraph. The %Namespace.Directive
naming convention translates to:
$config->set('Namespace.Directive', $value);
E.g.
$config->set('HTML.Allowed', 'p,b,a[href],i');
$config->set('URI.Base', 'http://www.example.com');
$config->set('URI.MakeAbsolute', true);
$config->set('AutoFormat.AutoParagraph', true);

EDIT:

To answer your question on stopping malformed SQL Injection attacks refer to this question: How can I prevent SQL injection in PHP? and this answer

Quote:

Use prepared statements and parameterized queries. These are SQL statements that sent to and parsed by the database server separately from any parameters.

If you use PDO you can work with prepared statements like this:

$preparedStatement = $db->prepare('SELECT * FROM employees WHERE name = :name');

$preparedStatement->execute(array(':name' => $name));

$rows = $preparedStatement->fetchAll();
where $db is a PDO object, see the PDO documentation. The mysqli class also provides parameterized queries.

回复收藏 0 原文

那支青花 2025-01-08 06:17:13

我使用这个从来没有遇到过问题：

$login = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|update|declare|exec|set|cast|$|#|%|&|'|\"|`|;|\*|--|\\\\)/"),"",trim(addslashes(htmlspecialchars(strip_tags($_POST['comment'])))));

i never had problems using this:

$login = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|update|declare|exec|set|cast|$|#|%|&|'|\"|`|;|\*|--|\\\\)/"),"",trim(addslashes(htmlspecialchars(strip_tags($_POST['comment'])))));

回复收藏 0 原文