[英]how to clean POST and GET vars in PHP for XSS and SQL injection
In my web app is a config file which includes ie database connection settings ans is always loaded at the first line of a PHP script. 在我的Web应用程序中是一个配置文件,其中包括数据库连接设置,并且总是在PHP脚本的第一行加载。 I would like to include a function which cleans all POST and GET data for maybe existing XSS and SQL Injection risks.
我想包含一个函数,该函数清除所有POST和GET数据,以解决可能存在的XSS和SQL注入风险。
I am not sure if that function is really enough 我不确定该功能是否真的足够
function make_safe($variable)
{
$variable = strip_tags(mysql_real_escape_string(trim($variable)));
return $variable;
}
foreach ($_POST as $key => $value) {
$_POST[$key] = make_safe($value);
}
//Same for $_GET & $_SESSION
Do you have recommendation for this problem? 您对此问题有建议吗?
This function: 该功能:
function make_safe($variable)
{
$variable = strip_tags(mysql_real_escape_string(trim($variable)));
return $variable;
}
Will not work 不管用
SQL injection and XSS are two different beasts. SQL注入和XSS是两个不同的野兽。 Because they each require different escaping you need to use each escape function strip_tags and mysql_real_escape_string separatly.
由于它们各自需要不同的转义,因此您需要分别使用每个转义函数strip_tags和mysql_real_escape_string。 Joining them up will defeat the security of each.
加入他们将破坏每个人的安全。
Use the standard mysql_real_escape_string() when inputting data into the database. 将数据输入数据库时,请使用标准的mysql_real_escape_string()。 Use strip_tags() when querying stuff out of the database before outputting them to the screen.
从数据库中查询内容之前,请使用strip_tags(),然后再将其输出到屏幕。
Why combining the two function is dangerous From the horses mouth: http://php.net/manual/en/function.strip-tags.php 为什么将两个功能组合在一起很危险从马口中可以看出 : http : //php.net/manual/en/function.strip-tags.php
Because strip_tags()
does not actually validate the HTML, partial or broken tags can result in the removal of more text/data than expected. 由于
strip_tags()
实际上并未验证HTML,因此部分或损坏的标签可能导致删除的文本/数据超出预期。
So by inputting malformed html into a database field a smart attacker can use your naive implementation to defeat mysql_real_escape_string()
in your combo. 因此,通过将格式错误的html输入数据库字段中,聪明的攻击者可以使用您的幼稚实现在组合中击败
mysql_real_escape_string()
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.