[英]What is the securest way to add html/css/js to mysql?
I'm currently using the following PHP class to store html, css and javascript code to my mysql database. 我目前正在使用以下PHP类将html,css和javascript代码存储到我的mysql数据库中。
function filter($data) {
$data = trim(htmlentities(strip_tags($data)));
if (get_magic_quotes_gpc())
$data = stripslashes($data);
$data= strip_tags($data);
$data = mysql_real_escape_string($data);
return $data;}
I' really wondering if the used code is secure enough to store HTML / CSS / JS code in a mysql database? 我真的想知道所使用的代码是否足够安全,可以将HTML / CSS / JS代码存储在mysql数据库中?
Yes, MySQL can store any type of text technically safely. 是的,MySQL可以在技术上安全地存储任何类型的文本。 Which means, MySQL will save the text as is and will return it again without loosing any data.
这意味着,MySQL将按原样保存文本,并在不丢失任何数据的情况下再次返回。
Mysql does not differ between the content of the text, so it makes no difference if it is HTML, CSS, JS code or your friends last email. Mysql在文本内容之间没有区别,因此如果它是HTML,CSS,JS代码或您的朋友最后一封电子邮件则没有区别。
However if you output the text later on you should take care that there is no unwanted code injection after you've pulled the data from mysql. 但是,如果稍后输出文本,则应该注意从mysql中提取数据后没有不需要的代码注入。 But that's not related to MySQL actually.
但这实际上与MySQL没有关系。
To make you sql more secure, pass the database handle to mysql_real_escape_string
or even better use MySQLi and/or PDO and prepared statements. 为了使您的SQL更安全,请将数据库句柄传递给
mysql_real_escape_string
,甚至更好地使用MySQLi和/或PDO以及预处理语句。
Your code looks like you're trying a lot to prevent something, but in the end it turns out pretty useless: 你的代码看起来像是在试图阻止某些东西,但最终它变得非常无用:
function filter($data) {
$data = trim(htmlentities(strip_tags($data)));
if (get_magic_quotes_gpc())
$data = stripslashes($data);
$data= strip_tags($data);
$data = mysql_real_escape_string($data);
return $data;}
First of all you should change the position of the check for get_magic_quotes_gpc
to normalize the data the function is working on. 首先,您应该更改
get_magic_quotes_gpc
检查的位置,以规范化函数正在处理的数据。 It would be even better if your application would not rely on it but just denies working if that option is enabled - see this important information here about that if you care about security. 如果您的应用程序不依赖于它会更好,但是如果启用了该选项则拒绝工作 - 如果您关心安全性,请在此处查看此重要信息 。
But for the safeness of your code posted, let's first normalize the input value to the function before processing it further. 但是为了发布代码的安全性,我们首先将输入值规范化为函数,然后再进行处理。 This is done by moving the check to the top of the function.
这是通过将检查移动到函数顶部来完成的。
function filter($data)
{
// normalize $data because of get_magic_quotes_gpc
$dataNeedsStripSlashes = get_magic_quotes_gpc();
if ($dataNeedsStripSlashes)
{
$data = stripslashes($data);
}
// normalize $data because of whitespace on beginning and end
$data = trim($data);
// strip tags
$data = strip_tags($data);
// replace characters with their HTML entitites
$data = htmlentities($data);
// mysql escape string
$data = mysql_real_escape_string($data);
return $data;
}
In this modified function, the magic quotes stuff (which you should not use) has been moved to the top of it. 在这个修改过的函数中,魔术引号(你不应该使用它)已被移到它的顶部。 This ensures that regardless of that option is on or off, data will always be processed the same.
这可确保无论该选项是打开还是关闭,数据始终都会被处理。 Your function did not do so, it would have created different results for the same data passed.
您的功能没有这样做,它会为传递的相同数据创建不同的结果。 So this has been fixed.
所以这已得到修复。
Even the function looks better now, it still has many problems. 即使功能现在看起来更好,它仍然有很多问题。 For example, it's unclear what the function actually does.
例如,目前还不清楚该功能实际上做了什么。 It does many things at once and some of them are contradictory:
它同时做了很多事情,其中一些是矛盾的:
$data
should not contain HTML $data
不应包含HTML $data
to have actually contain HTML entities. $data
的文本转换为实际包含HTML实体。 So what should the data be? 那么数据应该是什么? HTML or not?
是不是HTML? It does not introduce more security if things become unclear because this will benefit that errors come into your program and in the end even pass your security precautions.
如果事情变得不清楚,它不会引入更多的安全性,因为这将有利于错误进入您的程序,最终甚至通过您的安全预防措施。
So you should just throw away the code and consider the following: 所以你应该抛弃代码并考虑以下内容:
So if you want to make your code more secure, this is not about throwing a bunch of functions onto some data because you think those are security related. 因此,如果您想让您的代码更安全,那么这不是要将一堆函数放到某些数据上,因为您认为这些是安全相关的。 By doing so you don't make your software more secure but less secure.
通过这样做,您不会使您的软件更安全,但安全性更低。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.