I'm currently working on making sure that text that is submitted into the database for a webapplication I am working on is sanitized properly before being submitted to the database, and then retrieved and displayed correctly.
我目前正在努力确保提交到我正在处理的web应用程序的数据库中的文本在提交到数据库之前被正确清理,然后检索并正确显示。
Ignoring the jumble of sanitizing functions that are currently being used (it is currently a mess and breaks things), this is what I plan on doing:
忽略当前正在使用的混乱的消毒功能(目前这是一个混乱和打破的东西),这是我计划做的:
-
Use CKEditor for text input. It automatically converts HTML tags/symbols their HTML entities.
使用CKEditor进行文本输入。它会自动将HTML标记/符号转换为HTML实体。
-
Utilize PDO prepared statements to submit the text to the database.
利用PDO预处理语句将文本提交到数据库。
Is this enough to properly sanitize input? I've been reading up on this, and many people say to use magic quotes, however I read that magic quotes is old and most recommend against using it.
这足以正确消毒输入吗?我一直在阅读这篇文章,许多人都说要使用魔术引号,但是我读到魔术引用是旧的,大多数建议不要使用它。
Thank you in advance for any assistance!
提前感谢您的帮助!
2 个解决方案
#1
2
Well, PDO is okay only with basic cases from beginners manual.
Whatever complex issue will bring PDO into trouble as well as any other API.
好吧,PDO只适用于初学者手册的基本案例。无论什么复杂的问题都会给PDO带来麻烦以及任何其他API。
But as long as you are ready to waste your time writing huge insert statements, repeating every variable six to ten times following all these answers round here - PDO is okay.
但是只要你准备好浪费你的时间编写大量的插入语句,在这里回答所有这些答案之后重复每个变量六到十次 - PDO是可以的。
But just to let you know, there is no prepared statement for identifiers.
但只是为了让您知道,标识符没有准备好的声明。
As for the CKEditor - isn't it a client-side application? If so, it will protect nothing.
So, better follow an advise from another answer - pass untrusted user-input through htmlspecialchars() when displaying it on HTML page
至于CKEditor - 它不是客户端应用程序吗?如果是这样,它将保护任何东西。所以,更好地遵循另一个答案的建议 - 在HTML页面上显示时通过htmlspecialchars()传递不受信任的用户输入
#2
2
Don't use magic quotes. http://php.net/manual/en/security.magicquotes.php
不要使用魔法引号。 http://php.net/manual/en/security.magicquotes.php
This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.
自PHP 5.3.0起,此功能已被弃用,自PHP 5.4.0起已被删除。
If you're using prepared statements then you should be safe from sql injection. Remember to run user-inputted data through htmlspecialchars() when displaying it on the front-end.
如果你正在使用预处理语句,那么你应该安全地从sql注入。在前端显示时,请记住通过htmlspecialchars()运行用户输入的数据。
#1
2
Well, PDO is okay only with basic cases from beginners manual.
Whatever complex issue will bring PDO into trouble as well as any other API.
好吧,PDO只适用于初学者手册的基本案例。无论什么复杂的问题都会给PDO带来麻烦以及任何其他API。
But as long as you are ready to waste your time writing huge insert statements, repeating every variable six to ten times following all these answers round here - PDO is okay.
但是只要你准备好浪费你的时间编写大量的插入语句,在这里回答所有这些答案之后重复每个变量六到十次 - PDO是可以的。
But just to let you know, there is no prepared statement for identifiers.
但只是为了让您知道,标识符没有准备好的声明。
As for the CKEditor - isn't it a client-side application? If so, it will protect nothing.
So, better follow an advise from another answer - pass untrusted user-input through htmlspecialchars() when displaying it on HTML page
至于CKEditor - 它不是客户端应用程序吗?如果是这样,它将保护任何东西。所以,更好地遵循另一个答案的建议 - 在HTML页面上显示时通过htmlspecialchars()传递不受信任的用户输入
#2
2
Don't use magic quotes. http://php.net/manual/en/security.magicquotes.php
不要使用魔法引号。 http://php.net/manual/en/security.magicquotes.php
This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.
自PHP 5.3.0起,此功能已被弃用,自PHP 5.4.0起已被删除。
If you're using prepared statements then you should be safe from sql injection. Remember to run user-inputted data through htmlspecialchars() when displaying it on the front-end.
如果你正在使用预处理语句,那么你应该安全地从sql注入。在前端显示时,请记住通过htmlspecialchars()运行用户输入的数据。