[英]how do I protect an sql entry from a “meta” injection?
I have a site which allows the user to save images. 我有一个允许用户保存图像的网站。 I sanitize mysql inserts with 'mysql_real_escape_string', but someone went and entered a meta with a content redirect in his image description, so that whenever our site loads (loading the latest images as well), it redirects. 我用“ mysql_real_escape_string”对mysql插入进行了清理,但是有人去了他的图像描述中输入了带有内容重定向的元数据,以便每当我们的站点加载(也加载最新的图像)时,它就会重定向。
How can I sanitize my strings or sql queries to protect against that? 如何清理字符串或sql查询以防止这种情况?
Thanks in advance! 提前致谢!
For this particular example, you could have avoided it by using htmlentities when outputting the data: 对于此特定示例,可以通过在输出数据时使用htmlentities避免它:
<?php
$str = "A 'quote' is <b>bold</b>";
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str);
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str, ENT_QUOTES);
?>
The catch is that it would destroy pretty much any HTML from being used in the stuff you are saving. 要注意的是,它将破坏您保存的东西中几乎不使用任何 HTML。 If you are trying to allow certain tags and disallow others, it quickly gets a lot more complicated. 如果您试图允许某些标签而不允许其他标签,那么它很快就会变得复杂得多。
mysql_real_escape_string
is only used to prevent sql injection. mysql_real_escape_string
仅用于防止sql注入。
To prevent XSS, you need to use htmlspecialchars or htmlentities to sanitize the html content. 为了防止XSS,您需要使用htmlspecialchars或htmlentities清理html内容。
I think you should be using the htmlspecialchars();
我认为您应该使用htmlspecialchars();
everytime before putting anything from the database and before you submit the user input to the database use prepared statements + htmlspecialchars();
每次在从数据库中放入任何东西之前以及在将用户输入提交到数据库之前,都使用准备好的语句+ htmlspecialchars();
[optional] [可选的]
Here is couple of things you can do 这是您可以做的几件事
strip_tags()
使用strip_tags()
mysqli_*
function instead of mysql_
使用mysqli_*
函数代替mysql_
htmlentities()
将特殊字符转换为各自的htmlentities()
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.