堆栈内存溢出
  简体   繁体   English

将html / css / js添加到mysql的最安全的方法是什么?

[英]What is the securest way to add html/css/js to mysql?

 原文  2011-06-18 10:31:33       php/ javascript/ mysql/ html

问题描述

I'm currently using the following PHP class to store html, css and javascript code to my mysql database. 我目前正在使用以下PHP类将html,css和javascript代码存储到我的mysql数据库中。 

function filter($data) {
$data = trim(htmlentities(strip_tags($data)));

if (get_magic_quotes_gpc())
    $data = stripslashes($data);
    $data= strip_tags($data);

$data = mysql_real_escape_string($data);

return $data;}

I' really wondering if the used code is secure enough to store HTML / CSS / JS code in a mysql database? 我真的想知道所使用的代码是否足够安全,可以将HTML / CSS / JS代码存储在mysql数据库中?

1 个解决方案

解决方案1
 9  2011-06-18 10:35:58

Yes, MySQL can store any type of text technically safely. 是的,MySQL可以在技术上安全地存储任何类型的文本。 Which means, MySQL will save the text as is and will return it again without loosing any data. 这意味着,MySQL将按原样保存文本,并在不丢失任何数据的情况下再次返回。

Mysql does not differ between the content of the text, so it makes no difference if it is HTML, CSS, JS code or your friends last email. Mysql在文本内容之间没有区别,因此如果它是HTML,CSS,JS代码或您的朋友最后一封电子邮件则没有区别。

However if you output the text later on you should take care that there is no unwanted code injection after you've pulled the data from mysql. 但是,如果稍后输出文本,则应该注意从mysql中提取数据后没有不需要的代码注入。 But that's not related to MySQL actually. 但这实际上与MySQL没有关系。

To make you sql more secure, pass the database handle to mysql_real_escape_string or even better use MySQLi and/or PDO and prepared statements. 为了使您的SQL更安全,请将数据库句柄传递给mysql_real_escape_string ,甚至更好地使用MySQLi和/或PDO以及预处理语句。

Your code 你的代码

Your code looks like you're trying a lot to prevent something, but in the end it turns out pretty useless: 你的代码看起来像是在试图阻止某些东西,但最终它变得非常无用: 

function filter($data) {
$data = trim(htmlentities(strip_tags($data)));

if (get_magic_quotes_gpc())
    $data = stripslashes($data);
    $data= strip_tags($data);

$data = mysql_real_escape_string($data);

return $data;}

Normalize the data before you process it 在处理数据之前规范化数据

First of all you should change the position of the check for get_magic_quotes_gpc to normalize the data the function is working on. 首先,您应该更改get_magic_quotes_gpc检查的位置,以规范化函数正在处理的数据。 It would be even better if your application would not rely on it but just denies working if that option is enabled - see this important information here about that if you care about security. 如果您的应用程序不依赖于它会更好,但是如果启用了该选项则拒绝工作 - 如果您关心安全性,请在此处查看此重要信息

But for the safeness of your code posted, let's first normalize the input value to the function before processing it further. 但是为了发布代码的安全性,我们首先将输入值规范化为函数,然后再进行处理。 This is done by moving the check to the top of the function. 这是通过将检查移动到函数顶部来完成的。 

function filter($data)
{
   // normalize $data because of get_magic_quotes_gpc
   $dataNeedsStripSlashes = get_magic_quotes_gpc();
   if ($dataNeedsStripSlashes)
   {
     $data = stripslashes($data);
   }

   // normalize $data because of whitespace on beginning and end
   $data = trim($data);

   // strip tags
   $data = strip_tags($data);

   // replace characters with their HTML entitites
   $data = htmlentities($data);

   // mysql escape string    
   $data = mysql_real_escape_string($data);

   return $data;
 }

In this modified function, the magic quotes stuff (which you should not use) has been moved to the top of it. 在这个修改过的函数中,魔术引号(你不应该使用它)已被移到它的顶部。 This ensures that regardless of that option is on or off, data will always be processed the same. 这可确保无论该选项是打开还是关闭,数据始终都会被处理。 Your function did not do so, it would have created different results for the same data passed. 您的功能没有这样做,它会为传递的相同数据创建不同的结果。 So this has been fixed. 所以这已得到修复。

More Problems with your function 更多功能问题

Even the function looks better now, it still has many problems. 即使功能现在看起来更好,它仍然有很多问题。 For example, it's unclear what the function actually does. 例如,目前还不清楚该功能实际上做了什么。 It does many things at once and some of them are contradictory: 它同时做了很多事情,其中​​一些是矛盾的:

  • It removes HTML tags which is a sign that $data should not contain HTML 它会删除HTML标记,这表示$data不应包含HTML
  • But then you convert the text of $data to have actually contain HTML entities. 但是,您将$data的文本转换为实际包含HTML实体。

So what should the data be? 那么数据应该是什么? HTML or not? 是不是HTML? It does not introduce more security if things become unclear because this will benefit that errors come into your program and in the end even pass your security precautions. 如果事情变得不清楚,它不会引入更多的安全性,因为这将有利于错误进入您的程序,最终甚至通过您的安全预防措施。

So you should just throw away the code and consider the following: 所以你应该抛弃代码并考虑以下内容:

  • If input to your application is invalid, don't filter it. 如果您的应用程序输入无效,请不要对其进行过滤。 Instead prevent further use of invalid input. 而是防止进一步使用无效输入。 So you need a function to validate input before you make use of it. 因此,在使用输入之前,需要一个函数来验证输入。
  • Don't change data just because you think this might make something more secure. 不要仅因为您认为这可能会使某些内容更安全而更改数据。 Instead change and encode data where it is needed and appropriate. 而是在需要和适当的地方更改和编码数据。
    • Make your application only work with magic quotes off. 使您的应用程序仅使用魔术引号。 Relying on this feature is highly discouraged. 非常不鼓励依赖此功能。 And then there is no need to check for that all over in your code. 然后,您无需在代码中检查全部内容。
    • To store something safely within the database, escape the data prior using it in the query only. 要在数据库中安全地存储内容,请在查询中仅使用它来转义数据。 Not at some other place of your application. 不在您申请的其他地方。 Use Prepared statements for that. 使用Prepared语句。
    • No need to wrangle the data before you put it into the database if it's valid. 如果数据有效,则无需在将数据放入数据库之前对其进行纠缠。 But you need to properly encode it when output it to the webpage . 但是在将其输出到网页时需要对其进行正确编码 And only there an application does know in which encoding this needs to be. 并且只有应用程序确实知道这需要哪种编码。 You do not know that when you put the data into the database. 将数据放入数据库时​​,您不知道。

So if you want to make your code more secure, this is not about throwing a bunch of functions onto some data because you think those are security related. 因此,如果您想让您的代码更安全,那么这不是要将一堆函数放到某些数据上,因为您认为这些是安全相关的。 By doing so you don't make your software more secure but less secure. 通过这样做,您不会使您的软件更安全,但安全性更低。

  1. Never trust user data. 绝不信任用户数据。
  2. Ensure data is in the format you need it prior processing . 确保数据采用您在处理之前所需的格式。
  3. Use the right tool for the job at the right place. 在正确的位置使用正确的工具来完成工作。
  4. Never use tools at guess. 绝对不要使用工具。 Get knowledge instead, that pays not only security wise. 获取知识,不仅支付安全性。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 删除post html,js,css on insert into mysql - remove post html, js, css on insert into mysql 向其中添加 css 类的正确方法是什么? - What is the right way to add css class to this? 将数组添加到Mysql的最佳方法是什么 - What is the best way to add array into Mysql 有没有办法将常规 HTML/CSS/JS 保存为 php 变量? - Is there a way to save regular HTML/CSS/JS as a php variable? Wordpress - 如何为 html/css/js 菜单添加条件“如果用户已登录” - Wordpress - How to add condition "if user logged in" for html/css/js menu 使用HTML / JS / CSS / PHP / MySQL构建族树 - Building family trees using HTML/JS/CSS/PHP/MySQL 附加JS,CSS和所有其他供应商文件的最佳方法是什么? - What is the best way to attach JS, CSS and all other vendor files? 向古腾堡编辑器添加自定义 CSS 的正确方法是什么 - What's the correct way to add custom CSS to Gutenberg Editor 从mysql表数据添加html列表条目的简单方法 - Simple way to add html list entries from mysql table data 推迟在HTML表中加载MySQL结果的正确方法是什么? - What is the correct way to defer loading MySQL results in an HTML table?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM