stackoom
  简体   繁体   中英

Sanitizing/Escaping user input and output

 原文  2013-04-23 15:45:48       php/ mysql/ input/ output

Question

I know I've already asked a question about sanitizing and escaping, but I have a question which didn't get answered.

Okay, here it goes. If I have a PHP-script and I GET the users input and SELECT it from a mySQL database, would it matter/be any security risk, if I didn't escape < and > through the use of either htmlspecialchars , htmlentities or strip_tags and therefore allowed for HTML tags to be selected/searched from the database? Because the input is already being sanitized through the use of trim() , mysql_real_escape_string and addcslashes (\\%_).

The problem using htmlspecialchars is that it escapes ampersand (&), which the user input is supposed to allow (I guess the same goes for htmlentities ?). With the use of strip_tags , something like " " results in the PHP-script selecting and displaying results for John, which it isn't supposed to do. ”之类的东西会导致PHP脚本选择并显示John的结果,而不应该这样做。

Here is my PHP-code for sanitizing the input, before selecting from the database: 

if(isset($_GET['query'])) {
  if(strlen(trim($_GET['query'])) >= 3) {
      $search = mysql_real_escape_string(addcslashes(trim($_GET['search']), '\%_'));
      $sql = "SELECT name, age, address WHERE name LIKE '%".$search."%'";
      [...]
  }
}

And here is my output for displaying "x matched y results.": 

echo htmlspecialchars(strip_tags($_GET['search']), ENT_QUOTES, 'UTF-8')." matched y results.";

2 answers

solution1
 2  2013-04-23 15:52:55

A good way to go about this is to use MySQLi, it uses prepared statements which essentially escapes everything for you on the backend and offers strong protection against SQL injections. Not escaping GET data is just as dangerous as not escaping any other input.

solution2
 1  2013-04-23 16:04:43

There's two different concerns here that you've identified.

User Data in SQL Statements

Whenever you're constructing a query, you need to be absolutely certain that no arbitrary user data will end up in it. These mistakes are called SQL injection bugs and are the result of failing to correctly escape your data. As a general rule, you should never, ever use string concatenation to compose a query. Whenever possible, use placeholders to ensure that your data is correctly escaped.

User Data in HTML Document

When you're rendering a page that contains user-submitted content, you need to escape it so that the user cannot introduce arbitrary HTML tags or scripting elements. This is avoids XSS issues and means that characters like & and < do not get interpreted incorrectly. User data of "x < y" wouldn't end up breaking your page.

You'll always need to escape for whatever context you're rendering user data into. There are others, like inside a script tag or in a URL, but these are the two most common ones.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Sanitizing input but output not as expected Sanitizing user input, is it safe? Validating and Sanitizing user input in PHP User input validation before sanitizing? Sanitizing user input as part of an url Sanitizing user input without converting to htmlentities PHP / MYSQL: Sanitizing user input - is this a bad idea? when and where Sanitizing and Escaping in wordpress? Do need to sanitize my output after sanitizing the input using Htmlspecialchars() sanitizing pre-filled user-supplied form input
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM