过滤用户输入
[英]Filtering User Input
问题描述
I've read quite a few q&a's on filtering user input here, but most of the time the answer is that it depends on what you're doing. 
我在这里阅读了很多关于过滤用户输入的问答,但大多数时候答案是它取决于你在做什么。 Here's what I'm doing: 这是我正在做的事情:
Data submitted via a form that will be used in a MySQL query: 通过将在MySQL查询中使用的表单提交的数据:
function clean($field, $link)
{
return mysql_real_escape_string($field, $link);
}
Data submitted via a form that will be displayed back on the HTML/PHP page or in an email: 通过表格提交的数据将显示在HTML / PHP页面或电子邮件中:
function output_html($value)
{
return stripslashes(htmlspecialchars($value));
}
Data displayed from database: 从数据库显示的数据:
function output_db($value)
{
return stripslashes($value);
}
Is this sufficient for my needs? 这是否足以满足我的需求? Is there something I'm not considering? 有什么我不考虑的吗?
Thanks! 谢谢!
5 个解决方案
解决方案1
6 已采纳 2011-05-11 15:58:10
Use mysql_real_escape_string() when inserting strings into SQL queries, no matter where the input comes from. 在将字符串插入SQL查询时,无论输入来自何处,都使用mysql_real_escape_string() 。
Use htmlspecialchars() or htmlentities() when inserting strings into HTML code, no matter where the input comes from. 将字符串插入HTML代码时,无论输入来自何处,都使用htmlspecialchars()或htmlentities() 。
Use urlencode() when inserting values into the query string of a URL, no matter where the values come from. 将值插入URL的查询字符串时,请使用urlencode() ,无论值来自何处。
If this data comes from the user, then you should definitely do these things because there is the chance that the user is trying to do bad things. 如果这些数据来自用户,那么你肯定应该做这些事情,因为用户有可能尝试做坏事。 But security aside--what if you want to insert a legitimate string into a SQL query and the string just happens to have a single quote character in it? 但是除了安全性之外 - 如果你想将一个合法的字符串插入一个SQL查询并且该字符串碰巧有一个单引号字符,该怎么办? You still must escape it. 你仍然必须逃脱它。
解决方案2
2 2011-05-11 15:47:43
I would really look into using something like PDO if you are starting out. 如果你刚开始的话我真的会考虑使用像PDO这样的东西。 You will eventually want to migrate that way, so why not start now. 您最终希望以这种方式迁移,所以为什么不立即开始。
PDO will cleanse your input automatically, which is great. PDO会自动清理您的输入,这很棒。 It will also use prepare() statements, so you are guaranteed a single query, which prevents someone attacking with a "; DROP TABLE xxx;" 它还将使用prepare()语句,因此您可以保证单个查询,从而防止某人使用“; DROP TABLE xxx;”进行攻击。 or such. 或者这样的。
http://php.net/manual/en/book.pdo.php http://php.net/manual/en/book.pdo.php
解决方案3
2 2011-05-11 15:58:31
When you insert data into a SQL database, you need to escape it in order to prevent SQL injections, and mysql_real_escape_string() is the right thing to use for that in mysql. 当您将数据插入SQL数据库时,您需要转义它以防止SQL注入,并且mysql_real_escape_string()是在mysql中使用它的正确方法。 You have to remember to use that for everything, though, so it's error-prone. 但是,您必须记住将其用于所有内容,因此容易出错。 You should instead be using something like PDO, which automatically escapes every incoming value. 您应该使用类似PDO的东西,它会自动转义每个传入的值。
Data coming out of a database does not usually need any special treatment (ie. unescaping). 来自数据库的数据通常不需要任何特殊处理(即unescaping)。 I don't know what you're trying to do with stripslashes() there. 我不知道你在尝试用stripslashes()做什么。 If it's for removing magic quotes that PHP inserted, you should be doing that where you extract user-provided values from GET/POST/etc. 如果它是为了删除PHP插入的魔术引号,那么你应该这样做,从GET / POST / etc中提取用户提供的值。 (or disable magic quotes completely, if you can, and don't have any other software that relies on it) (或者完全禁用魔术引号,如果可以,并且没有任何其他依赖它的软件)
Data going out to html needs to be escaped to prevent XSS. 需要转发输出到html的数据以防止XSS。 htmlspecialchars() is the right function for that. htmlspecialchars()是正确的功能。 Again, I don't know what you're trying to use stripslashes() for. 再一次,我不知道你正在尝试使用stripslashes() 。 And again, you need to remember to escape every value, which is error-prone. 而且,你需要记住要逃避每个值,这很容易出错。 You should at least consider the benefits of using a templating engine or something else that automatically escapes all values going to html. 你至少应该考虑使用模板引擎或其他能自动逃避所有html值的东西的好处。
解决方案4
1 2011-05-11 15:50:06
If you have the ability, I'd recommend using mysqli instead of mysql, and utilize prepared statements: 如果你有能力,我建议使用mysqli而不是mysql,并使用预备语句:
<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$city = "Amersfoort";
/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {
/* bind parameters for markers */
$stmt->bind_param("s", $city);
/* execute query */
$stmt->execute();
/* bind result variables */
$stmt->bind_result($district);
/* fetch value */
$stmt->fetch();
printf("%s is in district %s\n", $city, $district);
/* close statement */
$stmt->close();
}
/* close connection */
$mysqli->close();
?>
Source: http://php.net/manual/en/mysqli.prepare.php 资料来源: http : //php.net/manual/en/mysqli.prepare.php
This provides basic type checking and does escaping for you. 这提供了基本的类型检查,并为您逃脱。 I would not recommend stripslashes on outputting db data because: 我不建议在输出db数据时使用stripslashes ,因为:
- DB data can have slashes in them DB数据可以包含斜杠
- The database unescapes for you anyways 无论如何,数据库对你来说都是无法解决的
With regards to showing HTML, there is also htmlstriptags which can strip out people trying to be cute with tags and the like. 关于显示HTML,还有htmlstriptags可以剥离试图用标签等可爱的人。
解决方案5
0 2011-05-11 16:37:00
i will recommend you to use the filters introduced in php 5.2 they are great and saves you lots of lines of validation and sanatization of data. 我建议你使用php 5.2中介绍的过滤器它们很棒,并为你节省了大量的数据验证和保护。 check here 检查一下
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.