PHP安全的方式以表格形式放置URL,以防止受到xss /跨站点请求伪造CSRF攻击
[英]PHP Safe way to put URL in form to protect against from xss / cross site request forgery CSRF attack
问题描述
I am using html form in php as following: 
我在php中使用html表单,如下所示:
<form method="post" action="<?php echo($_SERVER['PHP_SELF']); ?>">
.
.
</form>
But when i test for CSRF / XSS attack, it is very easy to inject this page. 但是,当我测试CSRF / XSS攻击时,很容易插入此页面。 Is there any good way to protect from such kind of attacks? 有什么好的方法可以防止此类攻击?
3 个解决方案
解决方案1
3 已采纳 2016-08-19 06:27:14
For CSRF Protection -- 对于CSRF保护-
- Use csrf token, now what is csrf token it is nothing but a unique value which will be generated by your application for each form submission event and attache to each and every form as input hidden value. 使用csrf令牌,现在什么是csrf令牌,它不过是唯一的值,该值将由您的应用程序为每个表单提交事件生成,并附加到每个表单作为输入隐藏值。 and at the same time application need to set that csrf token value into a SESSION so that at the time of form submission it can check the token value is valid or not. 并且应用程序同时需要将该csrf令牌值设置为SESSION,以便在提交表单时可以检查该令牌值是否有效。 This is one way you can protect CSRF attack. 这是保护CSRF攻击的一种方法。
For XSS Protection -- 对于XSS保护-
- 1st thing is set form validation both front end and back end 第一件事是设置前端和后端的表单验证
- you can use different php filter methods 您可以使用不同的php过滤器方法
- Use htmlspecialchars() which Convert special characters to HTML entities at the time of retrieving the data or showing the data 使用htmlspecialchars()在检索数据或显示数据时将特殊字符转换为HTML实体
解决方案2
1 2016-08-19 06:13:58
The only safe way to protect against CSRF is to associate a secret key (csrf token) with each request, and then check it upon form submit. 防止CSRF的唯一安全方法是将秘密密钥(csrf令牌)与每个请求关联,然后在提交表单时对其进行检查。 You can put it in a hidden input. 您可以将其放在隐藏的输入中。
解决方案3
-1 2016-08-19 05:43:28
Primary Defenses : 主要防御措施 :
Option #1: Use of Prepared Statements (Parameterized Queries) 选项1:使用预备语句(参数化查询)
Option #2: Use of Stored Procedures 选项2:使用存储过程
Option #3: Escaping all User Supplied Input 选项3:转义所有用户提供的输入
Additional Defenses : 其他防御措施 :
Also Enforce: Least Privilege 同时执行:最小权限
Also Perform: White List Input Validation 还执行:白名单输入验证
For option #3 Use this function: 对于选项#3,请使用以下功能:
to use the function mysqli_real_escape_str, you need the mysqli , to get it in codeigniter 要使用mysqli_real_escape_str函数,您需要mysqli,才能在codeigniter中获取它
function get_mysqli() {
$db = (array)get_instance()->db;
return mysqli_connect('localhost', $db['username'], $db['password'],$db['database']);
}
public function filter($data)
{
$data = trim(htmlentities(strip_tags($data)));
// print_r($data);
if (get_magic_quotes_gpc()){
// print_r($data);
$data = stripslashes($data);
// print_r($data);
$data = mysqli_real_escape_string(get_mysqli(),$data);
// print_r($data);
}
return $data;
}
Loop user inputs as: 将用户输入循环为:
foreach($_POST as $key => $value) {
$array[$key] = $this->filter($value);
}
Check this out: 看一下这个:
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.