有关XSS攻击和SQL注入的问题 [英] Issue about XSS Attack and SQL Injection

问题描述

我是web security的新手.花了一些时间阅读一些博客和社区网站(例如SO)后，我发现有些技术对于XSS Attack和SQL Injection是安全的.但是问题是，大多数与安全相关的问题非常古老.所以，我的问题是

I'm new to web security.After spending time reading some blogs and community sites like SO,I have found some techniques to be safe from XSS Attack and SQL Injection.But the problem is,most of that security related questions are very old.So,my question is

does my following code has any major security holes that can be bypassed by amateur or mid-level attacker(hacker).

还有什么我可以做的以免受攻击吗?顺便说一句，我正在使用HTMLPurifier来保护自己免受XSS Attack

Is there anything else I can do to be safe from attack?By the way,I'm using HTMLPurifier to be safe from XSS Attack

PHP

require_once '/path/to/HTMLPurifier.auto.php';

$connect_dude=mysqli_connect('localhost','root','','user');

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);

if(isset($_POST["sub"])){
  $name=$_POST["namex"];
  $email=$_POST["email"];
  $ques=$_POST["ques"];
  $clean_name = $purifier->purify($name);
  $clean_email = $purifier->purify($email);
  $clean_ques = $purifier->purify($ques);

  $stmt = mysqli_stmt_init($connect_dude);
     if(mysqli_stmt_prepare($stmt, 'INSERT INTO question (name,email,question) VALUES(?,?,?)')) {

        mysqli_stmt_bind_param($stmt, "sss", $clean_name, $clean_email, $clean_ques);
        mysqli_stmt_execute($stmt);
      }
}

HTML表单

<div id="form">
  <form id="sub_form" action="ask.php" method="post" enctype="multipart/form-data">
     <p id="nam" class="indi">Name</p><input type="text" id="namex" name="namex" placeholder="Your Name" required></br>
     <p id="ema" class="indi">Email</p><input type="text" id="email" name="email" placeholder="Email" required></br>
     <p id="que" class="indi">Question</p><textarea id="ques" name="ques" placeholder="Question" required></textarea></br>
     <input type="submit" id="sub" name="sub" value="Send">
  </form>
</div>

推荐答案

SQL很好，参数化查询是防止SQL注入的最佳实践方法.

The SQL stuff is fine, parameterised queries are the best-practice approach to prevent SQL injection.

使用XSS的方法有点奇怪.

The approach to XSS is... a bit weird.

HTMLPurifier用于您要允许用户输入有限的HTML标记的地方.如果您不介意提供自己的自定义迷你标记语言(如Markdown)，那么对于可格式化的自由文本字段(例如，我猜ques是)可能是合理的.

HTMLPurifier is of use where you want to allow the user to input limited HTML markup. That can be reasonable for formattable freetext fields (like I'm guessing ques is) if you can't be bothered to go as far as providing your own custom mini-markup language like Markdown.

但是，您是否真的希望用户能够为所有字段输入标记，包括名称和电子邮件地址?我应该可以命​​名为"Edw ard B oi ng J r"吗?用户是否每次都要使用&"号都必须输入&?

But do you really want the user to be able to input markup for all fields, including their name and e-mail address? Should I be able to have the name "Edward Boing Jr"? Are users going to have to enter & every time they want to use an ampersand?

一种更好的方法通常是按原样接受纯文本，然后在将其插入HTML页面时(例如，使用<?php echo htmlspecialchars($value); ?>)对HTML进行转义，以便用户输入的确切字符串出现在这一页.故意允许标记的字段(因此使用HTMLPurifier代替htmlspecialchars)通常是非常例外的情况.

A better approach is usually to accept plain text as it is, and then HTML-escape it at the point you insert it into an HTML page (eg with <?php echo htmlspecialchars($value); ?>) so that the exact string entered by the user appears in the page. The fields where you deliberately allow markup (and so use HTMLPurifier instead of htmlspecialchars) are typically very much exceptional cases.

请注意，如果要注入其他上下文，则需要不同的转义功能:例如，如果要注入<script>块中的JavaScript字符串，则需要JS字符串转义，并且htmlspecialchars或HTMLPurifier都无济于事你就是那个.

Note that if you are injecting into other contexts you need different escaping functions: for example if you are injecting into a JavaScript string in a <script> block then you need JS-string escaping and neither htmlspecialchars nor HTMLPurifier will help you with that.

这篇关于有关XSS攻击和SQL注入的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！