在codeigniter中,将URI段传递给函数是否安全?
[英]in codeigniter, is Passing URI Segments to your Functions secure?
问题描述
here is the URI: example.com/index.php/products/shoes/sandals/123 and here is the corresponding controller: 
这是URI: example.com/index.php/products/shoes/sandals/123 ,这是相应的控制器:
<?php
class Products extends CI_Controller {
public function shoes($sandals, $id)
{
$this->some_DB_using_Model->getListUsing($sandals,$id)
}
}
?>
is it safe to send $sandals directly to the model, or should I apply a filter before sending it. 将$sandals直接发送到模型是否安全,还是应该在发送之前应用过滤器?
edit: 编辑:
function getListUsing($p1,$p2){
$this->db->start_cache();
$this->db->select('a');
$this->db->select('b');
$this->db->select('c');
$this->db->where('p1',$p1);
$this->db->where('p2',$p2);
//then return the result
}
4 个解决方案
解决方案1
2 已采纳 2012-04-24 16:21:16
It depends what the model is doing. 这取决于模型在做什么。 If you're using that in a database query, then, yes you need to escape it. 如果要在数据库查询中使用它,那么,是的,您需要对其进行转义。
If you're using CodeIgniter's active queries, it will escape stuff for you. 如果您使用的是CodeIgniter的活动查询,它将为您转义。
解决方案2
1 2012-04-24 16:25:41
There are some limitations in URI variables like allowed chars in uri segments in config.php file, and in core, there's a function named _filter_uri($str) to sanitize the uri for malicious characters, and if you don't allow quotes or double quotes in your uri, and use the CI database drivers for SQL variable cleanup, it won't be causing any problems for your system. URI变量有一些限制,例如config.php文件中uri段中的允许的字符,并且在核心中,有一个名为_filter_uri($ str)的函数可以对恶意字符的uri进行清理,如果您不允许使用引号或双引号,在您的uri中加引号,并使用CI数据库驱动程序进行SQL变量清除,这不会对您的系统造成任何问题。
For example; 例如;
$this->db->query("update table set a=? where b=?",array($a_value,$b_value));
is safe than: 比以下内容更安全:
$this->db->query("update table set a='".$a_value."' where b='".$b_value."'");
as you may know. 如您所知。
The main concerns here would be; 这里的主要问题是;
- You want to show some variables to the user or not, 您是否想向用户显示一些变量,
- SEO related issues. SEO相关问题。
解决方案3
0 2012-04-24 17:20:40
Call me old fashion but I still like to write my SQL statements out. 称我为老式,但是我仍然喜欢写出我的SQL语句。 With that said, I use Query Bindings so that the values are automatically escaped for me. 话虽如此,我使用查询绑定,以便自动为我转义值。
解决方案4
-3 2012-04-24 16:27:58
I suggest to you using sparks it'll do it all for you escaping all the data for you remember never ever trust the user inputs/ also you can use the function to escape every segment. 我建议您使用sparks,它将为您完成所有操作,从而转义所有数据,以确保您永远不要信任用户输入,也可以使用该函数对每个段进行转义。 ie 即
www.example.com/controllername/$item1/$item2 www.example.com/controllername/$item1/$item2
public function controllername ($item1,$item2)
{
//sanitazi the data
htmlentities($item1)
htmlentities($item2)
//after this performed the call to your model by passing the new var or array
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.