[英]Php-MySql Security approach while INSERT’ing INTO MySql & fetching from MySql to screen
I think I read in stackoverflow.com that “if you need escaping or similar action, do it just in time you need” so in the verification pages that I verify the user inputs (null or not check, length check and structural checks (eg: mail structure, custom tags structures); I use the $_POST['']
variables as inputs. During verifications, even in the custom error printing parts, my error messages does not include any of $_POST['']
values in message texts. 我想我在stackoverflow.com上读到“如果您需要转义或类似的操作,请及时进行操作”,因此在验证页面中我会验证用户输入(是否为空检查,长度检查和结构检查(例如:邮件结构,自定义标签结构);我使用
$_POST['']
变量作为输入。在验证过程中,即使在自定义错误打印部件中,我的错误消息中也不包含任何$_POST['']
值文本。
As an interim note: I utilize prepared statements and parameterized queries during php-MySql interactions. 作为临时说明:在php-mysql交互过程中,我使用准备好的语句和参数化的查询 。 If inputs are verified;
输入是否经过验证; just before INSERT'ing INTO MySql, I strip the tags from input since I don't allow any html tags other than custom structured tags.
在插入INTO MySql之前,我将标签从输入中剥离,因为我不允许除自定义结构化标签之外的任何html标签。 (for example
**bold text** === <strong>bold text</strong>
) Then I insert the user input into MySql db. (例如
**bold text** === <strong>bold text</strong>
),然后将用户输入插入MySql db。
I only apply htmlspecialchars() command to print out to the screen from MySql db 我只应用htmlspecialchars()命令从MySql db打印到屏幕
I am not sure of myself. 我不确定自己。 Is there any obvious or hidden weakness in my approach?
我的方法是否有明显或隐藏的弱点? Thanks in advance for php gurus' valuable comments.
在此先感谢php gurus的宝贵意见。 BR
BR
I won't strip tags during insert into MySql db. 在插入MySql db的过程中,我不会剥离标签。 For reasons, Please refer to comments of ÁlvaroG.Vicario below.
由于某些原因,请参阅下面的ÁlvaroG.Vicario的注释。 BR.
BR。
The discussion thus far has been about protecting from SQL Injection and Persistent cross site scripting. 到目前为止,讨论的主题是如何避免SQL注入和持久性跨站点脚本。 It sounds like you're on the right track.
听起来您在正确的轨道上。
the escape syntax for the part of the HTML document you're putting untrusted data into.
" the escape syntax for the part of the HTML document you're putting untrusted data into.
”。 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="tr">
<head>
<title>trial</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="Content-Language" content="tr" />
<meta name="Description" content="trial page." />
<meta name="Robots" content="noindex, nofollow" />
</head>
<body>
<?php
$str1 = '<script>alert(\'inside of input with quote\')</script>';
$str2 = '<script>alert("inside of input with quote")</script>';
$str3 = "<script>alert(\"inside of input with quote\")</script>";
$str4 = '<script>alert("outside of form")</script>';
?>
<form method="post" action="">
<fieldset>
<legend>alert attempts inside form inputs</legend>
<label for="input1">label 1:</label><br />
<input type="text" value="<?php echo htmlspecialchars($str1) ; ?>" name="input1" id="input1" /><br /><br />
<legend>attempt 2</legend>
<label for="input2">label 2:</label><br />
<input type="text" value="<?php echo htmlspecialchars($str2) ; ?>" name="input2" id="input2" /><br /><br />
<label for="input3">Label 3:</label><br />
<input type="text" value="<?php echo htmlspecialchars($str3) ; ?>" name="input3" id="input3" />
</fieldset>
</form>
<?php echo htmlspecialchars($str4) ; ?>
</body>
</html>
strip_tags()
will disrupt what the user exactly cared typing just like htmlspecialchars()
OR htmlentities()
will do also. strip_tags()
这样的额外工作将破坏用户确切关心的键入内容,就像htmlspecialchars()
或htmlentities()
一样。 htmlspecialchars()
so what the user exactly cared typing won't break and possible malicious special characters will be converted to their corresponding HTML entities htmlspecialchars()
以便用户不会打扰的内容不会中断,并且可能的恶意特殊字符将转换为相应的HTML实体
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.