在插入INTO MySql并从MySql获取到屏幕时的PHP-MySql安全方法
[英]Php-MySql Security approach while INSERT’ing INTO MySql & fetching from MySql to screen
问题描述
My Approach while INSERT'ing INTO MySql 
我的方法同时插入到MySql
I think I read in stackoverflow.com that “if you need escaping or similar action, do it just in time you need” so in the verification pages that I verify the user inputs (null or not check, length check and structural checks (eg: mail structure, custom tags structures); I use the $_POST[''] variables as inputs. During verifications, even in the custom error printing parts, my error messages does not include any of $_POST[''] values in message texts. 我想我在stackoverflow.com上读到“如果您需要转义或类似的操作,请及时进行操作”,因此在验证页面中我会验证用户输入(是否为空检查,长度检查和结构检查(例如:邮件结构,自定义标签结构);我使用$_POST['']变量作为输入。在验证过程中,即使在自定义错误打印部件中,我的错误消息中也不包含任何$_POST['']值文本。
As an interim note: I utilize prepared statements and parameterized queries during php-MySql interactions. 作为临时说明:在php-mysql交互过程中,我使用准备好的语句和参数化的查询 。 If inputs are verified; 输入是否经过验证; just before INSERT'ing INTO MySql, I strip the tags from input since I don't allow any html tags other than custom structured tags. 在插入INTO MySql之前,我将标签从输入中剥离,因为我不允许除自定义结构化标签之外的任何html标签。 (for example **bold text** === <strong>bold text</strong> ) Then I insert the user input into MySql db. (例如**bold text** === <strong>bold text</strong> ),然后将用户输入插入MySql db。
My Approach while fetching from MySql & printing the output to the screen 从MySql提取并将输出打印到屏幕时的“我的方法”
I only apply htmlspecialchars() command to print out to the screen from MySql db 我只应用htmlspecialchars()命令从MySql db打印到屏幕
My Question 我的问题
I am not sure of myself. 我不确定自己。 Is there any obvious or hidden weakness in my approach? 我的方法是否有明显或隐藏的弱点? Thanks in advance for php gurus' valuable comments. 在此先感谢php gurus的宝贵意见。 BR BR
UPDATE 更新
I won't strip tags during insert into MySql db. 在插入MySql db的过程中,我不会剥离标签。 For reasons, Please refer to comments of ÁlvaroG.Vicario below. 由于某些原因,请参阅下面的ÁlvaroG.Vicario的注释。 BR. BR。
2 个解决方案
解决方案1
1 已采纳 2013-04-01 15:44:35
The discussion thus far has been about protecting from SQL Injection and Persistent cross site scripting. 到目前为止,讨论的主题是如何避免SQL注入和持久性跨站点脚本。 It sounds like you're on the right track. 听起来您在正确的轨道上。
- Your use of prepared statements is a "best practice" to combat SQL injection. 使用准备好的语句是打击SQL注入的“最佳实践”。
- htmlspecialchars() is a good start to prevent XSS, but you have to escape data in the encoding scheme that is appropriate to where you are outputting data. htmlspecialchars()是防止XSS的一个很好的开始,但是您必须使用适合于输出数据的编码方案对数据进行转义。 OWASP has a comprehensive page that discusses this: XSS (Cross Site Scripting) Prevention Cheat Sheet . OWASP的综合页面对此进行了讨论: XSS(跨站点脚本)预防速查表 。 The short answer: Ensure you are using "
the escape syntax for the part of the HTML document you're putting untrusted data into."简短的答案:确保您正在使用“ the escape syntax for the part of the HTML document you're putting untrusted data into.”。
解决方案2
0 2013-04-01 12:23:53
I tried code below in trial.php 我在trial.php中尝试了以下代码
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="tr">
<head>
<title>trial</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="Content-Language" content="tr" />
<meta name="Description" content="trial page." />
<meta name="Robots" content="noindex, nofollow" />
</head>
<body>
<?php
$str1 = '<script>alert(\'inside of input with quote\')</script>';
$str2 = '<script>alert("inside of input with quote")</script>';
$str3 = "<script>alert(\"inside of input with quote\")</script>";
$str4 = '<script>alert("outside of form")</script>';
?>
<form method="post" action="">
<fieldset>
<legend>alert attempts inside form inputs</legend>
<label for="input1">label 1:</label><br />
<input type="text" value="<?php echo htmlspecialchars($str1) ; ?>" name="input1" id="input1" /><br /><br />
<legend>attempt 2</legend>
<label for="input2">label 2:</label><br />
<input type="text" value="<?php echo htmlspecialchars($str2) ; ?>" name="input2" id="input2" /><br /><br />
<label for="input3">Label 3:</label><br />
<input type="text" value="<?php echo htmlspecialchars($str3) ; ?>" name="input3" id="input3" />
</fieldset>
</form>
<?php echo htmlspecialchars($str4) ; ?>
</body>
</html>
results of trial.php trial.php的结果
- what the user cared typing didn't break, so user data did not corrupted 用户关心的输入内容没有中断,因此用户数据没有损坏
- I see exactly what the user cared typing on screen 我在屏幕上看到的正是用户关心的内容
- script alerts did not work 脚本警报不起作用
resulted procedure while INSERT'ing INTO MySQL & fetching from MySQL and printing the output to screen 插入到MySQL中并从MySQL中提取并将输出打印到屏幕时生成的过程
- utilize prepared statements and parametric queries during php-MySQL interactions. 在php-mysql互动期间利用准备好的语句和参数查询。 while INSERT'ing INTO MySQl db, this approach prevents SQL Injections already so no need to extra escaping. 在INSERT'S INTO MySQl db时,此方法已经防止了SQL注入,因此不需要额外的转义。 Extra effort like
strip_tags()will disrupt what the user exactly cared typing just likehtmlspecialchars()ORhtmlentities()will do also.像strip_tags()这样的额外工作将破坏用户确切关心的键入内容,就像htmlspecialchars()或htmlentities()一样。 - utilize prepared statements and parametric queries also while fetching from MySQL db 从MySQL资料库撷取资料时,也要利用准备好的陈述式和参数查询
- while printing user inputted data onto screen, use
htmlspecialchars()so what the user exactly cared typing won't break and possible malicious special characters will be converted to their corresponding HTML entities在屏幕上打印用户输入的数据时,请使用htmlspecialchars()以便用户不会打扰的内容不会中断,并且可能的恶意特殊字符将转换为相应的HTML实体
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.