[英]Does this protect against injection attacks?
Does this protect against SQL injection attacks? 这样可以防止SQL注入攻击吗?
function sanitize($value) {
// Stripslashes
if (is_array($value)) {
if (get_magic_quotes_gpc()) {
$value = array_map("stripslashes", $value);
}
$value = array_map("mysql_real_escape_string", $value);
} else {
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
$value = mysql_real_escape_string($value);
}
return $value;
}
$_REQUEST = array_map('sanitize', $_REQUEST);
$_GET = array_map('sanitize', $_GET);
$_POST = array_map('sanitize', $_POST);
$_COOKIE = array_map('sanitize', $_COOKIE);
What could I add to sanitize() to protect against cross-site scripting? 我可以在sanitize()中添加什么来防止跨站点脚本编写? What other channels would allow attackers to insert malicious code?
攻击者还可以通过哪些其他渠道插入恶意代码?
The one-word answer would be "yes". 一词答案将是“是”。 However:
然而:
$value
is an array that contains other arrays it won't be handled correctly. $value
是包含其他数组的数组,则将无法正确处理。 You should loop over $value
make a recursive call to sanitize
for each array you find. $value
进行递归调用以sanitize
找到的每个数组。 Finally, the other ways in which someone can subvert your application are cross-site scripting (aka CSS or XSS) and cross-site request forgeries (CSRF). 最后,有人可以颠覆您的应用程序的其他方式是跨站点脚本 (又名CSS或XSS)和跨站点请求伪造 (CSRF)。 There are lots of resources here on SO and on the internet you can use to get up to speed.
SO和Internet上有很多资源,您可以用来快速掌握。 As a starting point, protection against XSS involves calling
htmlspecialchars
on anything you output, while protection against CSRF involves requiring a session-specific id code for each operation your privileged users are allowed to perform on your site. 首先,针对XSS的保护涉及对您输出的任何内容调用
htmlspecialchars
,而针对CSRF的保护涉及针对特权用户被允许在您的站点上执行的每个操作要求特定于会话的ID代码。
Array-safe sanitize
version 阵列安全
sanitize
版本
function sanitize($value) {
if (is_array($value)) {
foreach($value as &$item) {
$item = sanitize($item);
}
} else {
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
$value = mysql_real_escape_string($value);
}
return $value;
}
Update: 更新:
For higher visibility: Bjoern's link to this question ( What's the best method for sanitizing user input with PHP? ) is really good. 为了获得更高的可见性:Bjoern对此问题的链接( 用PHP清理用户输入的最佳方法是什么? )确实很好。
No. 没有。
Use PHP Data Objects Or... Use a Database Abstraction Layer Or... Some framework that does this. 使用PHP数据对象或...使用数据库抽象层或...某些框架可以做到这一点。
Don't write your own because: 不要写自己的,因为:
If it is applied after the database connection was established, then it escapes the initial input data correctly. 如果在建立数据库连接后应用它,那么它将正确地转义初始输入数据。
Now you will have problems using such escaped values for HTML output however. 现在,您将在使用此类转义的HTML输出值时遇到问题。 And it does not protect against second order SQL injection (querying the database, then using those values as-is for a second query).
而且它不能防止二阶SQL注入(查询数据库,然后按原样使用这些值进行第二次查询)。 And more importantly, most applications work on the input values.
更重要的是,大多数应用程序都在输入值上工作。 If you do any sort of rewriting or string matching, you might undo some of the escaping.
如果您进行任何形式的重写或字符串匹配,则可能会撤消某些转义。
Hencewhy it is often recommended to apply the escaping right before the query is assembled. 因此,为什么通常建议在汇编查询之前立即应用转义。 Nevertheless, the code itself is functional for the general case and advisable if you can't rewrite heaps of legacy code.
尽管如此,代码本身在一般情况下还是可以使用的,如果您不能重写大量旧代码,则建议这样做。
You should add html_entities. 您应该添加html_entities。 Most of the time you put $_POST variables into a textbox, like:
大多数时候,您将$ _POST变量放入文本框,例如:
<textarea><?php echo $_POST['field']; ?></textarea>
They can mess up your HTML by filling in and do anything they want. 他们可以通过填写和执行他们想要的任何事情来弄乱您的HTML。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.