如果我只清理GET和POST数据,那么注射安全吗? [英] If I only sanitize GET and POST data, will I be safe from injection?
问题描述
我只是在考虑对数据进行消毒以防止注入攻击的最佳方法.有些人喜欢在输出之前或插入数据库之前立即进行清理……但是我看到的问题是双重的:(1)如果您错过了一个参数/变量,该怎么办? (2)如果您过度消毒,该怎么办?并不是说这会损害输出,但是对已经知道是安全的东西进行消毒并没有多大意义.
I'm just thinking about the best way to go about sanitizing my data to prevent injection attacks. Some people like to sanitize immediately before output, or immediately before insertion to the database... but the problem I see with this is twofold: (1) what if you miss a paramater/variable? (2) what if you're over-sanitizing? Not that it would hurt the output, but there's not much sense sanitizing stuff you already know is safe.
例如,在PHP中,我没有使用$_GET和$_POST来包装它们,例如:
For example, in PHP instead of using $_GET and $_POST couldn't I wrap those with something like:
function get($var) {
return my_sanitizer($_GET[$var]);
}
还是那还不够?恶意代码还能潜入何处?
Or would that not be enough? Where else could malicious code sneak in?
阅读下面的答案后,我意识到这个问题有点愚蠢.这取决于您要插入数据库还是输出HTML.在这种情况下,也许 最好在使用前做好.没关系,也很容易包装输出方法...
After reading the answers below I realize this question was a bit foolish. It depends on if you're inserting to the database, or outputting HTML. In that case, perhaps it is better to do just before usage. That's okay though, it's easy enough to wrap output methods too...
推荐答案
不止一种消毒,也不止一种注射.例如,您通常需要在输出之前的某个时间清理或转义HTML和JS.但是适当的选择(例如,剥离所有HTML,允许HTML进入白名单,让用户输入其他内容,或者只是将其转义以使其显示为文本)取决于应用程序.
There's more than one kind of sanitization, and more than one kind of injection. For instance, you'll generally want to sanitize or escape HTML and JS sometime before output. But the appropriate choice (e.g., stripping out all HTML, allowing HTML in a whitelist, making the user enter something else, or just escaping it so it shows as text) depends on the application.
就数据库注入而言,我同意Nate的观点,您应该为此使用准备好的语句(有时这些语句在内部使用转义,但这不是您关心的问题).
As far as database injection, I agree with Nate you should use prepared statements for this (sometimes these use escaping internally, but that's not your concern) instead.
总而言之,获取任何数据后立即运行的自制的全能my_sanitizer可能是错误的选择.
In summary, a homemade catch-all my_sanitizer you run immediately upon getting any data is probably the wrong choice.
这篇关于如果我只清理GET和POST数据,那么注射安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
