如何避免“PHP注入”
[英]How to avoid “PHP injection”
问题描述
I have this script 
我有这个脚本
<?php $number = %value%; ?>
The %value% token will be replaced by a value on a DB input by a user. %value%标记将被用户输入的DB上的值替换。
My concern is that someone inputs something like: 我担心的是有人输入的内容如下:
1; echo phpinfo()
The result of the replace will be: 替换的结果将是:
<?php $number = 1; echo phpinfo(); ?>
This is obviously a security risk. 这显然是一种安全风险。
Is there a function to escape php scripting characters or something I can use? 是否有一个函数来逃避php脚本字符或我可以使用的东西?
Thanks in advance. 提前致谢。
Context 上下文
This is a tool on a CMS I'm working on, usually tools generate HTML code added to some PHP file. 这是我正在研究的CMS上的工具,通常工具生成添加到某些PHP文件的HTML代码。
In this case this tool generates an HTML structure from an RSS channel. 在这种情况下,此工具从RSS通道生成HTML结构。 We ask the user to input the RSS URL and the number of feeds to display, we replace those values into the PHP script and use them to get the feeds and display them in a HTML structure. 我们要求用户输入RSS URL和要显示的提要数量,我们将这些值替换为PHP脚本并使用它们来获取提要并以HTML结构显示它们。
like this: 像这样:
<?php
$url = "URL"; //comes from DB
$number = N; //comes from DB
$feeds = getFeeds($url, $number);
...
?>
3 个解决方案
解决方案1
10 已采纳 2010-12-09 17:40:26
The mechanics you described above are flawed. 你上面描述的机制是有缺陷的。 PHP just doesn't work that way. PHP就是这样不行。 No user input will be executed (or to be more precise, interpreted by PHP) unless: 不会执行任何用户输入(或更准确地说,由PHP解释),除非:
- You run it through an
eval()call您通过eval()调用运行它 - You save a combination of your code and user input as a PHP file and later execute it 您将代码和用户输入的组合保存为PHP文件,然后执行它
What you should be worried is SQL injection which is an entierly different thing. 你应该担心的是SQL注入,这是一个非常不同的东西。
If you are referring to a scenario simillar to bullet #2, there is a good chance you are doing something quite wrong from the design perspective and you should rethink your approach. 如果你指的是一个类似于子弹#2的场景,你很可能从设计角度做一些非常错误的事情,你应该重新思考你的方法。
解决方案2
1 2010-12-09 18:22:10
As mentioned by code_burgar.. this design is totally flawed. 正如code_burgar所提到的......这种设计是完全有缺陷的。 There should be no reason to build a server executed file on the fly. 应该没有理由动态构建服务器执行的文件。 You should pull your recordset from the db, loop through it and execute your getFeeds() function for each record. 您应该从db中提取记录集,循环遍历它并为每条记录执行getFeeds()函数。 Doing that would not execute any of the db provided data unless.. once again as cod_burgar says.. you use the eval() function. 这样做不会执行任何db提供的数据,除非..再次作为cod_burgar说..你使用eval()函数。
解决方案3
1 2010-12-12 08:23:17
Generally you want to sanitize all user supplied input in any program. 通常,您希望在任何程序中清理所有用户提供的输入。 EG: If you are asking for a 5 digit number, before assigning data to a variable verify it is in fact an integer and make sure it is only 5 digits. EG:如果要求一个5位数字,在将数据分配给变量之前,确认它实际上是一个整数,并确保它只有5位数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.