[英]how to properly secure form - flat file database
My form saves user inputs (inputs+textarea) into a flat file database. 我的表单将用户输入(输入+ textarea)保存到平面文件数据库中。 I found lots of examples Googleing on how to create a flat file database, but no one is properly covering some good basics on how to properly secure form from XSS and other malicious attacks.
我发现了很多关于如何创建平面文件数据库的例子,但没有人能够正确地介绍如何从XSS和其他恶意攻击中正确保护表单的一些好基础知识。
I know the best way is to have (Ex:) an SQL database... but that's not the case. 我知道最好的方法是让(Ex :)成为一个SQL数据库......但事实并非如此。
So far I know (this could be wrong! correct me if it is) : 到目前为止,我知道(这可能是错的!如果是的话,纠正我):
<?php ...data... ?>
) instead of .txt files <?php ...data... ?>
)而不是.txt文件 deny from all
inside the database folder deny from all
数据库文件夹中的deny from all
删除带有deny from all
的.htaccess mysql_real_escape_string
but good enough for ffdb mysql_real_escape_string
但足够ffdb What are your thoughts? 你怎么看? I appreciate your help
我感谢您的帮助
Dunno where did you get it, but by using Dunno你在哪里得到它,但通过使用
- .php files to store data (inside ) instead of .txt files
.php文件存储数据(内部)而不是.txt文件
you can be definitely sure that it will ALLOW anyone whatever attack they wish, 你可以肯定它会允许任何人他们想要的任何攻击,
- drop an .htaccess with a deny from all inside the database folder
从数据库文件夹中的所有内容中删除.htaccess
makes absolutely no sense, 完全没有道理
So, it seems the only issue is 所以,似乎唯一的问题是
- how to properly secure form from XSS
如何从XSS正确保护表单
and it is solved by using htmlspecialchars()
它通过使用
htmlspecialchars()
解决
here is an example of such a script I wrote long time ago in a galaxy far, far away... 这是我很久以前在一个遥远的星系中写的这样一个脚本的例子......
Feel free to ask if something looks unclear. 如果看起来不清楚,请随时询问。
<?php
if ($_SERVER['REQUEST_METHOD']=='POST') {
// iterating over POST data
foreach($_POST as $key => $value) {
//first we are doing non-destructive modifications
//in case we will need to show the data back in the form on error
$value = trim($value);
if (get_magic_quotes_gpc()) $value = stripslashes($value);
$value = htmlspecialchars($value,ENT_QUOTES);
$_POST[$key] = $value;
//here go "destructive" modifications, specific to the storage format
$value = str_replace("\r","",$value);
$value = str_replace("\n","<br>",$value);
$value = str_replace("|","¦",$value);
$msg[$key] = $value;
}
//various validations
$err='';
if (!$msg['name']) $err.="You forgot to introduce yourself<br>";
if (!$msg['notes']) $err.="You forgot to leave a comment!<br>";
//and so on
//...
// if no errors - writing to the file
if (!$err) {
$s = $msg['name']."|".$msg['email']."|".$msg['notes']."|".time()."\n";
$fp = fopen("gbook.txt","a");
fwrite($fp,$s);
fclose($fp);
//and then redirect
Header("Location: ".$_SERVER['PHP_SELF']);
exit;
}
//otherwise - show the filled form
} else {
//if it was not a POST request
//we have to fill variables used in form
$_POST['name'] = $_POST['email'] = $_POST['notes'] ='';
}
?>
<html>
<head></head>
<body>
<? if ($err): ?><font color=red><b><?=$err?></b></font><? endif ?>
<form method="POST">
Name: <input type="text" name="name" value="<?=$_POST['name']?>"><br>
Email: <input type="text" name="email" value="<?=$_POST['email']?>"><br>
Notes: <textarea rows="3" cols="30" name="notes"><?=$_POST['notes']?></textarea><br>
<input type="submit" name="submit">
</form>
</body>
</html>
it will produce a so-called pipe-delimited format like this 它会产生这样的所谓管道分隔格式
name1|email1|comment
name2|email2|comment
you can read it using file()+explode() 你可以用file()+ explode()来读它
If your storing content in a text file then you don't need to worry about escaping the string. 如果将内容存储在文本文件中,则无需担心转义字符串。
You could filter it for malicious HTML, but it depends on what your doing with the contents. 您可以将其过滤为恶意HTML,但这取决于您对内容的处理方式。
Make sure the file is in a folder outside of the public directory or is protected with the deny from all
htaccess trick, and ensure that you use file locking to prevent it being overwritten at the same time. 确保该文件位于公共目录之外的文件夹中,或者使用
deny from all
htaccess技巧中的deny from all
保护,并确保使用文件锁定以防止它同时被覆盖。
Also if your looking for a good flat file database check out Flintstone , its a key/value database store I wrote, might be useful for you. 此外,如果您正在寻找一个好的平面文件数据库,请查看Flintstone ,它是我写的一个键/值数据库存储,可能对您有用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.