简体繁体 English

PHP - 您如何清理您的联系表格？

[英]PHP - how do you sanitize your contact forms?

原文 2010-05-26 07:30:01 9 3 php/ security

有没有人遇到防弹功能/类（自制或本地）来保护联系表格？

3 个解决方案

See: 看到：

Secure Your Forms With Form Keys 使用表单密钥保护您的表单

Even better, employ: 更好的是，雇用：

HTML Purifier HTML净化器

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier是一个用PHP编写的符合标准的HTML过滤器库。 HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications. HTML Purifier不仅会删除所有恶意代码（更好地称为XSS），并且具有经过全面审核，安全且允许的白名单，还可以确保您的文档符合标准，只有通过全面了解W3C的规范才能实现。 Tired of using BBCode due to the current landscape of deficient or insecure HTML filters? 厌倦了使用BBCode，因为当前的HTML过滤器不完整或不安全？ Have a WYSIWYG editor but never been able to use it? 有一个WYSIWYG编辑器，但从来没有能够使用它？ Looking for high-quality, standards-compliant, open-source components for that application you're building? 为您正在构建的应用程序寻找高质量，符合标准的开源组件？ HTML Purifier is for you! HTML Purifier适合您！

I recommend using the OWASP Enterprise Security API it is a collection of accessors that filter user input based on the type of data it should be. 我建议使用OWASP 企业安全API它是访问者的收集过滤用户输入的基础上，应该是数据类型。 Another complimentary security layer is an Web Application Firewall (WAF) such as PHP-IDS or mod_security . 另一个免费的安全层是Web应用程序防火墙（WAF），例如PHP-IDS或mod_security 。 A WAF will prevent many different types of attacks from reaching your application. WAF将阻止许多不同类型的攻击到达您的应用程序。 This is probably what you are looking for, because it is a "drop in" solution requiring no modification to your application. 这可能是您正在寻找的，因为它是一个“下降”解决方案，无需修改您的应用程序。

An input validation library will help, but you should keep in mind there is no silver bullet, you can't call one routine or install some software an expect all vulnerabilities will disappear. 输入验证库会有所帮助，但你应该记住，没有银弹，你不能调用一个例程或安装一些软件，期望所有漏洞都会消失。 Input validation vulnerabilities are highly dependent how the data is used. 输入验证漏洞高度依赖于数据的使用方式。 For instance LFI, XSS, CRLF and SQL Injection all have different control characters and thus have their own requirements for filtering/escaping/encoding. 例如，LFI，XSS，CRLF和SQL注入都具有不同的控制字符，因此对过滤/转义/编码有自己的要求。 If you want to build a truly solid PHP application then you have to read the PHPSec LIbrary . 如果你想构建一个真正可靠的PHP应用程序，那么你必须阅读PHPSec LIbrary 。

The best way to prevent SQL injection is using parameterized queries with a library like PHP's PDO . 防止SQL注入的最佳方法是使用像PHP的PDO这样的库进行参数化查询。 This way you KNOW that the query is immune to SQL injection regardless of where the data came from. 这样，无论数据来自何处，您都知道查询不受SQL注入的影响。

Furthermore there are some vulnerabilities that have nothing to do with input validation. 此外，还有一些漏洞与输入验证无关。 CSRF and crypto violations are both excellent examples. CSRF和加密违规都是很好的例子。 You should also read the OWASP Top 10 . 您还应该阅读OWASP Top 10 。

I don't think this is a special case, just always use parametrized queries when interacting with a database. 我不认为这是一种特殊情况，只是在与数据库交互时总是使用参数化查询。

Because setting up parametrized queries with PHP/mysqli can be a verbose pain I'd highly recommend Rob Poyntz Codesense_mysqi class . 因为使用PHP / mysqli设置参数化查询可能是一个冗长的痛苦，所以我强烈推荐Rob Poyntz Codesense_mysqi类。 It's a neat little wrapper that hides most of the tedium. 它是一个整洁的小包装，隐藏了大部分单调乏味。