[英]PHP Safe way to put URL in form to protect against from xss / cross site request forgery CSRF attack
I am using html form in php as following: 我在php中使用html表单,如下所示:
<form method="post" action="<?php echo($_SERVER['PHP_SELF']); ?>">
.
.
</form>
But when i test for CSRF / XSS attack, it is very easy to inject this page. 但是,当我测试CSRF / XSS攻击时,很容易插入此页面。 Is there any good way to protect from such kind of attacks? 有什么好的方法可以防止此类攻击?
For CSRF Protection -- 对于CSRF保护-
For XSS Protection -- 对于XSS保护-
The only safe way to protect against CSRF is to associate a secret key (csrf token) with each request, and then check it upon form submit. 防止CSRF的唯一安全方法是将秘密密钥(csrf令牌)与每个请求关联,然后在提交表单时对其进行检查。 You can put it in a hidden input. 您可以将其放在隐藏的输入中。
Primary Defenses : 主要防御措施 :
Option #1: Use of Prepared Statements (Parameterized Queries) 选项1:使用预备语句(参数化查询)
Option #2: Use of Stored Procedures 选项2:使用存储过程
Option #3: Escaping all User Supplied Input 选项3:转义所有用户提供的输入
Additional Defenses : 其他防御措施 :
Also Enforce: Least Privilege 同时执行:最小权限
Also Perform: White List Input Validation 还执行:白名单输入验证
For option #3 Use this function: 对于选项#3,请使用以下功能:
to use the function mysqli_real_escape_str, you need the mysqli , to get it in codeigniter 要使用mysqli_real_escape_str函数,您需要mysqli,才能在codeigniter中获取它
function get_mysqli() {
$db = (array)get_instance()->db;
return mysqli_connect('localhost', $db['username'], $db['password'],$db['database']);
}
public function filter($data)
{
$data = trim(htmlentities(strip_tags($data)));
// print_r($data);
if (get_magic_quotes_gpc()){
// print_r($data);
$data = stripslashes($data);
// print_r($data);
$data = mysqli_real_escape_string(get_mysqli(),$data);
// print_r($data);
}
return $data;
}
Loop user inputs as: 将用户输入循环为:
foreach($_POST as $key => $value) {
$array[$key] = $this->filter($value);
}
Check this out: 看一下这个:
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.