如何使用PHP防止HTML注入URL表单字段中?
[英]How do I protect against HTML injection in a URL form field with PHP?
问题描述
For example if I am colecting a [URL value] in a form, saving that [URL value] in a database, and then using it in a page like this: 
例如,如果我选择一个[URL值]形式,将该[URL值]保存在数据库中,然后在这样的页面中使用它:
<a href="[URL value]" > The Link </a>
How do I protect against this [URL value]: 如何防止此[URL值]:
http://www.somelink.com"> Evil text or can be empty </a> ALL THE EVIL HTML I WANT <a href="
How can I protect against this kind of HTML injection for URL form fileds without breaking the URL in case it is valid ? 在有效的情况下,如何在不破坏URL的情况下防止URL表单文件的此类HTML注入?
5 个解决方案
解决方案1
6 已采纳 2010-10-28 00:34:04
When receiving the URL on the form: 收到表单上的URL时:
- Use
filter_var(url, FILTER_VALIDATE_URL)to ensure the URL is in a valid format.使用filter_var(url, FILTER_VALIDATE_URL)确保URL的格式正确。 - Ensure the URL starts with
http://orhttps://(or at least reject alljavascript:URL as they can include malignant code)确保网址以http://或https://开头(或至少拒绝所有javascript:URL,因为它们可能包含恶性代码) - Use prepared statements when inserting the URL (and other form data) in the database or properly escape that data to prevent SQL injections. 在数据库中插入URL(和其他表单数据)时,请使用准备好的语句,或者正确转义该数据以防止SQL注入。
When displaying the page: 显示页面时:
- Use
htmlspecialchars()to escape the URL (and all other text) that you insert in the HTML.使用htmlspecialchars()转义您在HTML中插入的URL(和所有其他文本)。
解决方案2
1 2010-10-28 00:37:11
The simplest way to do that would be to check that the input contains what looks like a syntactically valid url, with no characters such as > which are not allowed in URL's. 最简单的方法是检查输入内容是否包含句法有效的url,并且没有诸如URL之类的字符,例如>。 The easiest way to do that is using the filter extension . 最简单的方法是使用filter扩展 。 The code to do it would be like this: 要做的代码是这样的:
if (filter_var($url, FILTER_VALIDATE_URL)) {
//Valid URL submitted
} else {
//Invalid URL submitted
}
解决方案3
0 2010-10-28 03:18:06
EDIT: Just use urlencode, do not use htmlentities as well 编辑:只使用urlencode,也不要使用htmlentities
Whenever you put data into the key/value pairs of a URL, you should encode that data using urlencode(). 每当将数据放入URL的键/值对中时,都应该使用urlencode()对数据进行编码。 This function will take care of any special characters that syntactic meaning in the way URLs are meant to be constructed. 此功能将处理在构造URL的语法上具有语法含义的所有特殊字符。 Ampersands, equal signs and question marks will be encoded for you. &符,等号和问号将为您编码。 All the angle brackets AND new line characters in the inject HTML will be encoded too! 注入HTML中的所有尖括号和换行符也将被编码!
<?php $TheVariable = $_REQUEST['suspect_var']; // Untrusted data ?>
<a href="http://www.mysite.com/script.php?untrusted_data=<?php echo urlencode($TheVariable) ?>">The Link</a>
解决方案4
0 2010-10-30 15:38:36
For escaping when displaying use htmlentities($var, ENT_QUOTES) or htmlspecialchars($var, ENT_QUOTES). 为了在显示时进行转义,请使用htmlentities($ var,ENT_QUOTES)或htmlspecialchars($ var,ENT_QUOTES)。 It's needed to escape both single and double quotes because of browser-specific XSS payloads. 由于特定于浏览器的XSS有效负载,因此需要对单引号和双引号进行转义。 Check here - http://ha.ckers.org/xss2.html 在这里检查-http: //ha.ckers.org/xss2.html
Also, when validating URL javascript: URI is not the only one dangerous. 另外,在验证URL javascript时:URI并不是唯一的危险。 Other one is data: URI. 另一个是数据:URI。
Anyway, it's always more secure to exclude everything except whitelisted, then to include everything except black-listed. 无论如何,排除列入白名单的所有内容,然后包括列入黑名单的所有内容,总是比较安全的。
解决方案5
-1 2010-10-28 00:34:25
使用urlencode只是编码"签打印网址时,比如:
echo '<a href="'.str_replace('"', urlencode('"'), $url).'">link name</a>';
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.