除了XSS和Sql注入,我能保护我的站点的方法是什么?

时间:2023-01-06 05:05:32


So, members of my website can post topics, replies, comments, edit them and so on. I always use htmlspecialchars and addslashes for html inputs to protect my site against XSS and SQL injection attacks. Is it enough or is there something more I miss?
Thanks.

所以,我的网站的成员可以发布主题,回复,评论,编辑他们等等。我总是使用htmlspecialchars和addslash作为html输入,以保护我的站点不受XSS和SQL注入攻击。这就够了吗?还是我还错过了什么?谢谢。

6 个解决方案

#1


8  

There is a lot that can go wrong with a web application. Other than XSS and SQLi, there is:

web应用程序有很多可能出错。除了XSS和SQLi,还有:

  1. CSRF - Cross Site Request Forgery
  2. CSRF -跨现场请求伪造
  3. LFI/RFI - Local File Include/Remote File Include caused by include(), require()...
  4. LFI/RFI -本地文件Include/远程文件Include由Include()、require()…
  5. CRLF injection in mail()
  6. CRLF注入在邮件()
  7. Global Variable Namespace Poising commonly caused by register_globals,extract(), import_request_variables()
  8. 通常由register_globals、extract()、import_request_variables()引起的全局变量名称空间定位
  9. Directory Traversal: fopen(), file_get_contents(), file_put_conents()
  10. 目录遍历:fopen()、file_get_contents()、file_put_conents()
  11. Remote Code Execution with eval() or preg_replace() with /e
  12. 使用eval()或preg_replace()使用/e执行远程代码
  13. Remote Code Execution with passthru(), exec(), system() and ``
  14. 使用passthru()、exec()、system()和' '的远程代码执行

There is a whole family of vulnerabilities regarding Broken Authentication and Session Management which is apart of the OWASP Top 10 that every web app programmer must read.

关于破损的身份验证和会话管理,有一大堆漏洞,这是OWASP的十大漏洞之一,每个web应用程序程序员都必须阅读。

A Study In Scarlet is a good black paper that goes over many of these vulnerabilities that I have listed.

《猩红研究》是一篇很好的黑色论文,涵盖了我列出的许多弱点。

However, there are also strange vulnerabilities like this one in Wordpress. The definitive authority on what is a vulnerability is the CWE system which classifies HUNDREDS of vulnerabilities, many of which can affect web applications.

然而,Wordpress中也有一些奇怪的漏洞。关于什么是漏洞的最终权威是CWE系统,该系统对数百个漏洞进行分类,其中许多漏洞可能会影响web应用程序。

#2


6  

You should use prepared statements (see PDO) to prevent SQL injection. When outputting the content htmlspecialchars() seems sufficient to prevent XSS.

您应该使用准备好的语句(参见PDO)来防止SQL注入。当输出内容htmlspecialchars()时,似乎足以防止XSS。

Also take a look at these links for more ways to protect your site:

也看看这些链接更多的保护你的站点的方法:

http://phpsec.org/projects/guide/

http://phpsec.org/projects/guide/

http://cwe.mitre.org/top25/#Listing

http://cwe.mitre.org/top25/清单

http://www.owasp.org/index.php/Top_10_2010-Main

http://www.owasp.org/index.php/Top_10_2010-Main

#3


2  

A better approach to protect against SQL injection is to use the escape function specifically written for each database - for example, for PostGreSQL use pg_escape_string to escape string fields before inserting them in to the database. Or in your case, use mysql_real_escape_string.

防止SQL注入的更好方法是使用专为每个数据库编写的escape函数—例如,对于PostGreSQL,在将字符串字段插入到数据库之前,使用pg_escape_string来转义字符串字段。或者在您的例子中,使用mysql_real_escape_string。

#4


2  

You should use mysql_real_escape_string() for SQL, not addslashes. (Assuming you are using MySQL)

您应该为SQL使用mysql_real_escape_string(),而不是addslashes。(假设你使用的是MySQL)

#5


0  

When inserting data into database, use prepared statements. PDO are better than mysql_real_espace_string.

在将数据插入数据库时,使用准备好的语句。PDO比mysql_real_espace_string要好。

When displaying data, such as comments, posts, use htmlentities.

当显示数据时,例如评论、帖子,使用htmlentities。

#6


0  

SQL injection:

  1. No addslashes nor mysql_real_escape_string could help alone. But only when used according some rules. And even then it's not enough. So, that's why prepared statements are way better for newbies - it require no thinking.

    没有addslashes或mysql_real_escape_string可以单独使用。但只有在按照某些规则使用时。即使这样还不够。所以,这就是为什么准备好的陈述对新手来说更好——它不需要思考。

  2. Both escaping and prepared statements can help with data only. For the operators/identifiers there are distinct rules. (Not a big deal though - every possible combination must be hardcoded in the script)

    转义和准备好的语句都只能帮助处理数据。对于操作符/标识符有不同的规则。(这没什么大不了的——每个可能的组合都必须在脚本中硬编码)

XSS:

Do not allow users to use HTML.
To prevent this, both strip_tags() (with no allowed tags) or htmlspecialchars() can be used.
If you want to allow some markup, consider a BB-code use.

不允许用户使用HTML。为了防止这种情况,可以使用strip_tags()(没有允许的标记)或htmlspecialchars()。如果您希望允许一些标记,请考虑使用BB-code。

CSRF:

Any significant form must contain an unique token, which should be compared to one, saved in the session.

任何重要的表单都必须包含一个惟一的令牌,应该与保存在会话中的一个令牌进行比较。

#1


8  

There is a lot that can go wrong with a web application. Other than XSS and SQLi, there is:

web应用程序有很多可能出错。除了XSS和SQLi,还有:

  1. CSRF - Cross Site Request Forgery
  2. CSRF -跨现场请求伪造
  3. LFI/RFI - Local File Include/Remote File Include caused by include(), require()...
  4. LFI/RFI -本地文件Include/远程文件Include由Include()、require()…
  5. CRLF injection in mail()
  6. CRLF注入在邮件()
  7. Global Variable Namespace Poising commonly caused by register_globals,extract(), import_request_variables()
  8. 通常由register_globals、extract()、import_request_variables()引起的全局变量名称空间定位
  9. Directory Traversal: fopen(), file_get_contents(), file_put_conents()
  10. 目录遍历:fopen()、file_get_contents()、file_put_conents()
  11. Remote Code Execution with eval() or preg_replace() with /e
  12. 使用eval()或preg_replace()使用/e执行远程代码
  13. Remote Code Execution with passthru(), exec(), system() and ``
  14. 使用passthru()、exec()、system()和' '的远程代码执行

There is a whole family of vulnerabilities regarding Broken Authentication and Session Management which is apart of the OWASP Top 10 that every web app programmer must read.

关于破损的身份验证和会话管理,有一大堆漏洞,这是OWASP的十大漏洞之一,每个web应用程序程序员都必须阅读。

A Study In Scarlet is a good black paper that goes over many of these vulnerabilities that I have listed.

《猩红研究》是一篇很好的黑色论文,涵盖了我列出的许多弱点。

However, there are also strange vulnerabilities like this one in Wordpress. The definitive authority on what is a vulnerability is the CWE system which classifies HUNDREDS of vulnerabilities, many of which can affect web applications.

然而,Wordpress中也有一些奇怪的漏洞。关于什么是漏洞的最终权威是CWE系统,该系统对数百个漏洞进行分类,其中许多漏洞可能会影响web应用程序。

#2


6  

You should use prepared statements (see PDO) to prevent SQL injection. When outputting the content htmlspecialchars() seems sufficient to prevent XSS.

您应该使用准备好的语句(参见PDO)来防止SQL注入。当输出内容htmlspecialchars()时,似乎足以防止XSS。

Also take a look at these links for more ways to protect your site:

也看看这些链接更多的保护你的站点的方法:

http://phpsec.org/projects/guide/

http://phpsec.org/projects/guide/

http://cwe.mitre.org/top25/#Listing

http://cwe.mitre.org/top25/清单

http://www.owasp.org/index.php/Top_10_2010-Main

http://www.owasp.org/index.php/Top_10_2010-Main

#3


2  

A better approach to protect against SQL injection is to use the escape function specifically written for each database - for example, for PostGreSQL use pg_escape_string to escape string fields before inserting them in to the database. Or in your case, use mysql_real_escape_string.

防止SQL注入的更好方法是使用专为每个数据库编写的escape函数—例如,对于PostGreSQL,在将字符串字段插入到数据库之前,使用pg_escape_string来转义字符串字段。或者在您的例子中,使用mysql_real_escape_string。

#4


2  

You should use mysql_real_escape_string() for SQL, not addslashes. (Assuming you are using MySQL)

您应该为SQL使用mysql_real_escape_string(),而不是addslashes。(假设你使用的是MySQL)

#5


0  

When inserting data into database, use prepared statements. PDO are better than mysql_real_espace_string.

在将数据插入数据库时,使用准备好的语句。PDO比mysql_real_espace_string要好。

When displaying data, such as comments, posts, use htmlentities.

当显示数据时,例如评论、帖子,使用htmlentities。

#6


0  

SQL injection:

  1. No addslashes nor mysql_real_escape_string could help alone. But only when used according some rules. And even then it's not enough. So, that's why prepared statements are way better for newbies - it require no thinking.

    没有addslashes或mysql_real_escape_string可以单独使用。但只有在按照某些规则使用时。即使这样还不够。所以,这就是为什么准备好的陈述对新手来说更好——它不需要思考。

  2. Both escaping and prepared statements can help with data only. For the operators/identifiers there are distinct rules. (Not a big deal though - every possible combination must be hardcoded in the script)

    转义和准备好的语句都只能帮助处理数据。对于操作符/标识符有不同的规则。(这没什么大不了的——每个可能的组合都必须在脚本中硬编码)

XSS:

Do not allow users to use HTML.
To prevent this, both strip_tags() (with no allowed tags) or htmlspecialchars() can be used.
If you want to allow some markup, consider a BB-code use.

不允许用户使用HTML。为了防止这种情况,可以使用strip_tags()(没有允许的标记)或htmlspecialchars()。如果您希望允许一些标记,请考虑使用BB-code。

CSRF:

Any significant form must contain an unique token, which should be compared to one, saved in the session.

任何重要的表单都必须包含一个惟一的令牌,应该与保存在会话中的一个令牌进行比较。