使用MongoDB PHP驱动程序时的安全问题 [英] Security concerns while using MongoDB PHP driver

问题描述

我有在MYSQL上确保SQL注入安全的经验，但是在使用php驱动程序的MongoDB上应该注意些什么?在大多数页面中，我都是通过GET/POST以及搜索/插入系统来获取数据的.我通过UDID/其他字段进行搜索，并且可以插入任何字符串值.我也通过javascript获取用户的cookie.

I have experiences with securing sql injections on MYSQL, but what should I be careful on MongoDB using php driver? In most of the pages I get data via GET/POST and searching/inserting the system. I search via UDID / other fields, and can insert any string value. Also I get user's cookies via javascript.

1. 所以在GET/POST时，我要添加到每个可变htmlentities函数中吗?

1. So when GET/POST, I'm adding to each variable htmlentities function?

用什么代替mysql_real_escape_string?我应该使用它吗?

What would replace mysql_real_escape_string? Should I use it?

例如，做的时候

$download = array( 'url' => $_GET['url'] );

$downloads->insert($download); 

这样可以吗?

1. 是否可以检查字符串是否真的是UID?

1. Is there a way to check if a string is really a UID?

还有其他人在使用MongoDB和PHP时应该注意吗?我确实使用javascript获取cookie，并使用cookie在数据库中进行搜索.那怎么办?

Any think else I should be aware when using MongoDB and PHP? I do get my cookies using javascript, and searching in my DB using the cookies. What about that?

推荐答案

所以在GET/POST时，我要添加到每个htmlentities函数中吗?

So when GET/POST, I'm adding to each variable htmlentities function?

不需要.但是，在将用户生成的数据输出到浏览器时，应该使用htmlentities来防止XSS攻击.

No need to. You should however, use htmlentities when outputting user-generated data to a browser, to prevent XSS attacks.

用什么代替mysql_real_escape_string?我应该使用它吗?

What would replace mysql_real_escape_string? Should I use it?

您不应该将mysql_real_escape_string用作MySQL.在MongoDB上，没有什么能替代它，驱动程序会为您转义数据.

You shouldn't use mysql_real_escape_string as it's for MySQL. Nothing replaces this on MongoDB, the driver takes care of escaping the data for you.

是否可以检查字符串是否真的是UID?

Is there a way to check if a string is really a UID?

唯一的验证方法是使用该字符串查询MongoDB并检查其是否存在.

The only way is to validate it is to query MongoDB with that string and check if it exists.

但是，您可以验证格式是否正确:

$id = '4f1b166d4931b15415000000';
$a = new MongoId($id);
var_dump($a->{'$id'} == $id); // true

$id = 'foo';
$a = new MongoId($id);
var_dump($a->{'$id'} == $id); // false

还有其他人在使用MongoDB和PHP时应该注意吗?我确实使用javascript获取cookie，并使用cookie在数据库中进行搜索.那怎么办?

Any think else I should be aware when using MongoDB and PHP? I do get my cookies using javascript, and searching in my DB using the cookies. What about that?

不多.对于任何Web应用程序，我们都不建议将敏感数据存储在Cookie中，例如用户标识符，密码等，因为它们很容易调整并用于访问应限制的应用程序部分，或冒充其他用户

Not much. As for any web application, you are very discouraged from storing sensitive data in cookies, such as user identifiers, passwords, etc. as they can easily be tempered with and used to access parts of your application that should be restricted, or impersonate other users.

这篇关于使用MongoDB PHP驱动程序时的安全问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！