PHP $ _GET安全性,$ _POST安全性最佳实践

时间:2022-05-29 00:14:47

It's a well covered topic, but I'd like to get some confirmation on methods of using data from user variables, in a few different situations.

这是一个很好的主题,但我想在几种不同的情况下得到一些关于使用用户变量数据的方法的确认。

  1. The variable is never used in a database, never stored, only displayed on screen for the user. Which function to use to make sure no html or javascript can screw things up?

    该变量从不在数据库中使用,从不存储,仅在用户的屏幕上显示。使用哪个函数来确保没有html或javascript可以搞砸了?

  2. The variable is taken into the database, and used in SQL queries.

    该变量被带入数据库,并在SQL查询中使用。

  3. The variable does both.

    变量同时做到了。

At the moment I xss_clean, and strip_tags. I've always done this, just by autopilot. Is there a better technique? Apologies if there's an identical question out there. I kinda assume there is, although I couldn't find one as thorough as this.

目前我是xss_clean和strip_tags。我一直都是这样做的,只是通过自动驾驶仪。有更好的技术吗?如果有相同的问题,请道歉。我有点假设有,虽然我找不到一个如此彻底。

Cheers.

4 个解决方案

#1

4  

  1. Use the appropriate function while outputting, in HTML context, this is htmlspecialchars

    2. 输出时使用适当的函数,在HTML上下文中,这是htmlspecialchars

  2. Use prepared statements

    3. 使用准备好的陈述

  3. See 1. and 2. – depending on whether you are displaying the variable or you are using it in a query.

    4. 请参阅1.和2. - 取决于您是在显示变量还是在查询中使用它。

#2

2  

One of worst disbeliefs of the PHP folks is that $_GET or $_POST has anything to do with security.

对PHP人员最不相信的一个问题是$ _GET或$ _POST与安全性有关。

It is not source but destination that matters!

  • If you have to deal with database, the rules always the same, no matter if data is coming from $_POST, SOAP request or a database. It has to be ALWAYS the same: placeholders for the data, whitelisting for the everything else.

    • 如果必须处理数据库,则无论数据是来自$ _POST,SOAP请求还是数据库,规则总是相同的。它必须始终相同:数据的占位符,其他所有内容的白名单。

  • If you have to output some data into browser, you have to properly prepare it, no matter if data is coming from $_POST, SOAP request or a database.

    • 如果必须将某些数据输出到浏览器中,则必须正确地准备它,无论数据是来自$ _POST,SOAP请求还是数据库。

  • If you have to read a file - you have to secure a filename, no matter where it coming from.

    • 如果你必须阅读文件 - 你必须保护文件名,无论它来自何处。

#3

-1  

  1. In the first case htmlspecialchars() probably is the best choice, allowing for users to use all characters like <, >, &, etc.

    2. 在第一种情况下,htmlspecialchars()可能是最好的选择,允许用户使用所有字符,如<,>,&等。

  2. In the second case you will need to use some database escaping function like mysql_real_escape_string or a prepared statement with PDO or mysqli. Prepared statements are the best choice here but if you are only familiar with mysql then mysql_real_escape_string works fine too. If you are not using mysql then there are similar functions in most SQL APIs.

    3. 在第二种情况下,您将需要使用一些数据库转义函数,如mysql_real_escape_string或使用PDO或mysqli的预准备语句。准备好的语句是最好的选择,但如果你只熟悉mysql,那么mysql_real_escape_string也可以正常工作。如果您不使用mysql,那么在大多数SQL API中都有类似的功能。

  3. In the third case do both but separately, with gives you two diffrent results, one for output and one for database.

    4. 在第三种情况下,两者都是分开的,给你两个不同的结果,一个用于输出,一个用于数据库。

References:

http://php.net/manual/en/function.htmlspecialchars.php

http://php.net/manual/en/function.mysql-real-escape-string.php

http://php.net/manual/en/book.pdo.php

http://php.net/manual/en/book.mysqli.php

#4

-1  

$id="1;drop table users;"; $id=mysql_real_escape_string($id); $sql="SELECT * FROM table

WHERE id=$id";

#1

4  

  1. Use the appropriate function while outputting, in HTML context, this is htmlspecialchars

    2. 输出时使用适当的函数,在HTML上下文中,这是htmlspecialchars

  2. Use prepared statements

    3. 使用准备好的陈述

  3. See 1. and 2. – depending on whether you are displaying the variable or you are using it in a query.

    4. 请参阅1.和2. - 取决于您是在显示变量还是在查询中使用它。

#2

2  

One of worst disbeliefs of the PHP folks is that $_GET or $_POST has anything to do with security.

对PHP人员最不相信的一个问题是$ _GET或$ _POST与安全性有关。

It is not source but destination that matters!

  • If you have to deal with database, the rules always the same, no matter if data is coming from $_POST, SOAP request or a database. It has to be ALWAYS the same: placeholders for the data, whitelisting for the everything else.

    • 如果必须处理数据库,则无论数据是来自$ _POST,SOAP请求还是数据库,规则总是相同的。它必须始终相同:数据的占位符,其他所有内容的白名单。

  • If you have to output some data into browser, you have to properly prepare it, no matter if data is coming from $_POST, SOAP request or a database.

    • 如果必须将某些数据输出到浏览器中,则必须正确地准备它,无论数据是来自$ _POST,SOAP请求还是数据库。

  • If you have to read a file - you have to secure a filename, no matter where it coming from.

    • 如果你必须阅读文件 - 你必须保护文件名,无论它来自何处。

#3

-1  

  1. In the first case htmlspecialchars() probably is the best choice, allowing for users to use all characters like <, >, &, etc.

    2. 在第一种情况下,htmlspecialchars()可能是最好的选择,允许用户使用所有字符,如<,>,&等。

  2. In the second case you will need to use some database escaping function like mysql_real_escape_string or a prepared statement with PDO or mysqli. Prepared statements are the best choice here but if you are only familiar with mysql then mysql_real_escape_string works fine too. If you are not using mysql then there are similar functions in most SQL APIs.

    3. 在第二种情况下,您将需要使用一些数据库转义函数,如mysql_real_escape_string或使用PDO或mysqli的预准备语句。准备好的语句是最好的选择,但如果你只熟悉mysql,那么mysql_real_escape_string也可以正常工作。如果您不使用mysql,那么在大多数SQL API中都有类似的功能。

  3. In the third case do both but separately, with gives you two diffrent results, one for output and one for database.

    4. 在第三种情况下,两者都是分开的,给你两个不同的结果,一个用于输出,一个用于数据库。

References:

http://php.net/manual/en/function.htmlspecialchars.php

http://php.net/manual/en/function.mysql-real-escape-string.php

http://php.net/manual/en/book.pdo.php

http://php.net/manual/en/book.mysqli.php

#4

-1  

$id="1;drop table users;"; $id=mysql_real_escape_string($id); $sql="SELECT * FROM table

WHERE id=$id";
标签:

相关文章