防御mysql注入和跨站点脚本编写的最佳方法 [英] Best way to defend against mysql injection and cross site scripting
问题描述
此刻,我采用了一种把所有东西扔在墙上,看看有什么办法"来阻止上述问题的方法.下面是我拼凑的功能:
At the moment, I apply a 'throw everything at the wall and see what sticks' method of stopping the aforementioned issues. Below is the function I have cobbled together:
function madSafety($string)
{
$string = mysql_real_escape_string($string);
$string = stripslashes($string);
$string = strip_tags($string);
return $string;
}
但是,我坚信有更好的方法可以做到这一点.我正在使用FILTER_ SANITIZE_STRING,但这似乎并不十分安全.
However, I am convinced that there is a better way to do this. I am using FILTER_ SANITIZE_STRING and this doesn't appear to to totally secure.
我想我想问的是,你们采用哪种方法,它们有多成功?谢谢
I guess I am asking, which methods do you guys employ and how successful are they? Thanks
推荐答案
仅仅做很多您不太了解的事情就不会对您有所帮助.您需要了解什么是注入攻击,以及确切的方法和在何处应执行的操作.
Just doing a lot of stuff that you don't really understand, is not going to help you. You need to understand what injection attacks are and exactly how and where you should do what.
要点:
- 禁用魔术引号.它们是一个不足的解决方案,并且使事情变得混乱.
- 切勿直接在SQL中嵌入字符串.使用绑定参数或转义(使用
mysql_real_escape_string).
从数据库中检索数据时, - 不要取消转义(例如,
stripslashes). - 在html中嵌入字符串时(例如,当
echo时),默认情况下应转义该字符串(将htmlentities与ENT_QUOTES结合使用). - 如果需要在html中嵌入html字符串,则必须考虑字符串的来源.如果不受信任,则应通过过滤器对其进行管道传输.从理论上讲,
strip_tags是您应该使用的,但是它有缺陷.改用 HtmlPurifier .
- Disable magic quotes. They are an inadequate solution, and they confuse matters.
- Never embed strings directly in SQL. Use bound parameters, or escape (using
mysql_real_escape_string). - Don't unescape (eg.
stripslashes) when you retrieve data from the database. - When you embed strings in html (Eg. when you
echo), you should default to escape the string (UsinghtmlentitieswithENT_QUOTES). - If you need to embed html-strings in html, you must consider the source of the string. If it's untrusted, you should pipe it through a filter.
strip_tagsis in theory what you should use, but it's flawed; Use HtmlPurifier instead.
这篇关于防御mysql注入和跨站点脚本编写的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
