堆栈内存溢出
  简体   繁体   English

PHP 清理数据

[英]PHP Sanitize Data

 原文  2011-05-02 23:17:25       php/ sanitize

问题描述

I am new to the world of coding and PHP hence would like to learn what's the best way to sanitize form data to avoid malformed pages, code injections and the like.我是编码世界的新手,PHP 因此想了解什么是清理表单数据以避免格式错误的页面、代码注入等的最佳方法。 Is the sample script I found below a good example?我在下面找到的示例脚本是一个很好的例子吗?

Code originally posted at http://codeassembly.com/How-to-sanitize-your-php-input/代码最初发布在http://codeassembly.com/How-to-sanitize-your-php-input/

/**
 * Sanitize only one variable .
 * Returns the variable sanitized according to the desired type or true/false 
 * for certain data types if the variable does not correspond to the given data type.
 * 
 * NOTE: True/False is returned only for telephone, pin, id_card data types
 *
 * @param mixed The variable itself
 * @param string A string containing the desired variable type
 * @return The sanitized variable or true/false
 */

function sanitizeOne($var, $type)
{       
    switch ( $type ) {
    case 'int': // integer
        $var = (int) $var;
        break;

    case 'str': // trim string
        $var = trim ( $var );
        break;

    case 'nohtml': // trim string, no HTML allowed
        $var = htmlentities ( trim ( $var ), ENT_QUOTES );
        break;

    case 'plain': // trim string, no HTML allowed, plain text
        $var =  htmlentities ( trim ( $var ) , ENT_NOQUOTES )  ;
        break;

    case 'upper_word': // trim string, upper case words
        $var = ucwords ( strtolower ( trim ( $var ) ) );
        break;

    case 'ucfirst': // trim string, upper case first word
        $var = ucfirst ( strtolower ( trim ( $var ) ) );
        break;

    case 'lower': // trim string, lower case words
        $var = strtolower ( trim ( $var ) );
        break;

    case 'urle': // trim string, url encoded
        $var = urlencode ( trim ( $var ) );
        break;

    case 'trim_urle': // trim string, url decoded
        $var = urldecode ( trim ( $var ) );
        break;

    case 'telephone': // True/False for a telephone number
        $size = strlen ($var) ;
        for ($x=0;$x<$size;$x++)
        {
            if ( ! ( ( ctype_digit($var[$x] ) || ($var[$x]=='+') || ($var[$x]=='*') || ($var[$x]=='p')) ) )
            {
                return false;
            }
        }
        return true;
        break;

    case 'pin': // True/False for a PIN
        if ( (strlen($var) != 13) || (ctype_digit($var)!=true) )
        {
            return false;
        }
        return true;
        break;

    case 'id_card': // True/False for an ID CARD
        if ( (ctype_alpha( substr( $var , 0 , 2) ) != true ) || (ctype_digit( substr( $var , 2 , 6) ) != true ) || ( strlen($var) != 8))
        {
            return false;
        }
        return true;
        break;

    case 'sql': // True/False if the given string is SQL injection safe
        //  insert code here, I usually use ADODB -> qstr() but depending on your needs you can use mysql_real_escape();
        return mysql_real_escape_string($var);
        break;
    }       
    return $var;
}

4 个解决方案

解决方案1
 18  2011-05-02 23:24:17

That script has some nice functions but it doesn't do a good job at sanitizing!该脚本具有一些不错的功能,但在消毒方面做得不好!

Depending on what you need (and want to accept) you can use:根据您的需要(并希望接受),您可以使用:

解决方案2
 10 已采纳  2011-05-02 23:41:55

Your example script isn't great - the so called sanitisation of a string just trims whitespace off each end.您的示例脚本不是很好 - 所谓的字符串清理只是修剪每一端的空白。 Relying on that would get you in a lot of trouble fast.依靠它会让你很快陷入很多麻烦。

There isn't a one size fits all solution.没有一种万能的解决方案。 You need to apply the right sanitisation for your application, which will completely depend on what input you need and where it's being used.您需要对您的应用程序进行正确的清理,这完全取决于您需要什么输入以及在何处使用它。 And you should sanitise at multiple levels in any case - most likely when you receive data, when you store it and possibly when you render it.在任何情况下,您都应该在多个级别进行清理——最有可能在您接收数据、存储数据以及渲染数据时进行。

Worth reading, possible dupes:值得一读,可能的骗局:

What's the best method for sanitizing user input with PHP? 使用 PHP 清理用户输入的最佳方法是什么?

Clean & Safe string in PHP PHP 中的清洁和安全字符串

解决方案3
 7  2011-05-02 23:25:43

As a general rule if you are using PHP & MySQL you will want to sanitize data going into MySQL like so:作为一般规则,如果您使用的是 PHP 和 MySQL,您将需要像这样清理进入 MySQL 的数据:

$something = mysql_real_escape_string($_POST['your_form_data']);

http://php.net/manual/en/function.mysql-real-escape-string.php http://php.net/manual/en/function.mysql-real-escape-string.php

解决方案4
 4  2011-05-02 23:20:46

It's not bad.不算太差。

For SQL, it'd be best to avoid the need to risk the scenario at all, by using PDO to insert parameters into your queries.对于 SQL,最好通过使用 PDO 将参数插入到查询中来完全避免冒险。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 PHP函数清除所有数据 - PHP function to sanitize all data php中的Ajax数据,清理一个数字 - Ajax data in php, sanitize a number 如何验证和清理 php 中的数据数组? - How to validate and sanitize array of data in php? 通过PHP构造函数清理GET数据 - Sanitize GET data through PHP constructor PHP清理用户数据以供header()函数使用 - PHP sanitize user data for use in header() function 如何清理PHP数据以写入PDF文件? - How can I sanitize PHP data for writing to PDF file? 我是否需要为 PHP 中的 error_log() 清理用户数据? - Do I need to sanitize user data for error_log() in PHP? 请帮助我将php数据清理成mysql - Please help me to sanitize php data goint to mysql 在PHP中对动态表单数据使用FILTER_SANITIZE_STRING - Using FILTER_SANITIZE_STRING on dynamic form data in PHP 如何在php中清理数据以避免SQL注入? - How to sanitize data in php in order to avoid SQL injection?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM