堆栈内存溢出
  简体   繁体   English

防止输入字段上的XSS?

[英]prevent xss on input fields?

 原文  2012-11-28 17:51:21       php/ escaping/ preg-replace/ htmlpurifier

问题描述

1-i have a form which has name family email birthday(which is a select) and gender which is two diffrent radio buttons one for male and another one obviously is for female. 1-i具有一种形式,名称为家庭电子邮件生日(可以选择)和性别,这是两个不同的单选按钮,一个是男性,另一个显然是女性。 now please can someone explain me how to prevent xss attacks on this fields in php? 现在请有人可以向我解释一下如何防止在php中对该字段进行xss攻击吗? my form data is like this 我的表格数据是这样的 

<form action="register.php" method="post">
    <div>
        <table>
        <tr><td><?php echo $lang['5']; ?> :</td><td> <input type="text" name="name" maxlength="254" class="required" /></td></tr>
        <tr><td><?php echo $lang['6']; ?> :</td><td> <input type="text" name="family" maxlength="254" class="required" /></td></tr>
        <tr><td><?php echo $lang['59']; ?> :</td><td> <input type="text" name="email" maxlength="254" class="required" /></td></tr>
        <tr><td><?php echo $lang['74']; ?> :</td><td> <input type="text" name="repeat" maxlength="254" class="required" /></td></tr>
        <tr><td><?php echo $lang['60']; ?> :</td><td><input type="password" name="password"/></td></tr>
        <tr>
        <td><?php echo $lang['8'] ?> :</td>
        <td>
        <select name="day">
        <option><?php echo $lang['9'] ?></option>
        <?php 
        for($i=1;$i<=31;$i++){
        echo "<option value=\"{$i}\">{$i}</option>\n"; 
        }
        ?>
        </select>
        <select name="month">
        <?php 
        for($i=0;$i<=12;$i++){
        $i = str_pad($i,2,"0",STR_PAD_LEFT);
        echo "<option value=\"{$i}\">";T(1,$i);echo "</option>\n"; 
        }
        ?>
        </select>
        <select name="year">
        <option><?php echo $lang['11'] ?></option>
        <?php 
        for($i=1300;$i<=1373;$i++){
        if($i == $birthdate['0']){
        echo "<option value=\"{$i}\" selected=\"selected\">{$i}</option>\n"; 
        }else{
        echo "<option value=\"{$i}\">{$i}</option>\n"; 
        }
        }
        ?>
        </select>
        </td>
        </tr>
        </table>
        male : <input type="radio" name="gender[]"  />female : <input type="radio" name="gender[]"  /><br />
        <input type="submit" name="submit" value="<?php echo $lang['63'];  ?>" onclick="formhash(this.form, this.form.password);"/>
    </div>
</form>

for name and family i did somthing like this for get just html entity with this pattern 为了名字和家人,我做了这样的事情,只是得到这种模式的HTML实体 

$name = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $name);
$family = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $family);

and for email i did like this: 对于电子邮件,我确实是这样的: 

 $email = preg_replace("^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*(\.[a-zA-Z]{2,3})$^", "", $email);

is this preg_replace secure enough or maybe i need using htmlentity or htmlspecailchars? 这个preg_replace是否足够安全,或者我需要使用htmlentity或htmlspecailchars?

2-and for second question is it necessary to escape posted data which is from radio buttons or sellect options and if its necessary how should i escape them? 2-第二个问题是有必要转义来自单选按钮或Sellect选项的已发布数据,如果有必要,我应如何转义它们?

3-i just read about htmlpurifier..now if i have status field which user can i update it should i use html purifier for people statuses and this register form maybe? 3-i刚刚阅读了有关htmlpurifier..now的信息,如果我有status字段,我可以更新该用户,是否应该使用html purifier来显示人员状态,并且此注册表格可能是?

thanks in advance. 提前致谢。

1 个解决方案

解决方案1
 1 已采纳  2012-12-04 09:35:07

  • It is better to escape all submitted values 最好不要提交所有提交的值

  • HTMLPurifier is a very good and enough to prevent XSS attacks, and here is how you can use it. HTMLPurifier非常好,足以阻止XSS攻击,这是使用它的方法。 

     # In register.php page: require_once 'path/to/HTMLPurifier/library/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $config->set('HTML.Doctype', 'HTML 4.01 Transitional'); $config->set("HTML.Allowed", ""); // this will NOT allow any html tags $purifier = new HTMLPurifier($config); # hash the provided password (don't apply HTMLPurifier on the password) $hash_password = sha1($_POST["password"]); $data = array(); # apply HTMLPurify on all submitted data foreach ($_POST as $key => $value) { $data["$key"] = mysql_real_escape_string($purifier->purify($value)); } # get birthday $data["birthday"] = $data["year"] . "-" . $data["month"] . "-" . $data["day"]; # insert submitted data into your database $result = mysql_query(" INSERT INTO table_name (name, family, email, password, birthday, gender) VALUES ('{$data["name"]}', '{$data["family"]}', '{$data["email"]}', '$hash_password', '{$data["birthday"]}', '{$data["gender"]}') "); ?>

NOTE: use male and female as values of the name attributes of the 2 radio input tags instead of the gender[] array 注意:使用malefemale作为2个无线电输入标签的name属性的值,而不要使用gender[]数组

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我是否需要以HTML形式htmlspecialchars()用户输入以防止XSS? - Do I need to htmlspecialchars() user input in an HTML form to prevent XSS? 使用.htaccess防止XSS攻击 - Prevent XSS attacks with .htaccess 防止 XSS 攻击 - Prevent XSS attacks 如何防止潜在的XSS - How to prevent potential XSS PHP 防止 xss - PHP Prevent xss CakePHP:防止XSS攻击 - CakePHP : Prevent XSS attacks jQuery Ajax防止XSS - Jquery ajax prevent xss 转义以防止XSS的快捷方式 - shortcut to escaping to prevent XSS 需要防止XSS攻击吗? - Need to prevent XSS attacks? 如何防止属性中的 XSS - How to prevent XSS in attributes
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM