Base64作为清理Mysql用户输入的方法 [英] Base64 as method of sanitizing user input for Mysql

问题描述

我认为，保证用户输入是mysql安全的唯一方法是使用仅允许mysql安全输入的白名单，或者将输入编码为始终返回mysql安全的内容.对我而言，Base64像一种候选编码方法，以及mysql_escape_string，对我来说都是接缝的……除了用户可读性之外，还有什么理由不应该使用Base64进行输入卫生吗?它被认为是不良做法吗?我还感觉到，如果问题是由mysql处理，而不是依靠单个程序员来确保数据是安全的，那么对用户数据进行所有过滤以确保适当的安全性可能更容易实现.例如，通过使用单个函数，而不是基于查询的字符串，因此在整个调用过程中，命令和用户输入保持独立...

I would assume that the only way to guarantee that a user input is mysql safe is to use either a whitelist where you only allow mysql safe input, or by encoding the input into something that will always return mysql safe. Base64 seams to me like one candidate for such an encoding, along with mysql_escape_string... Is there any reason besides user readability that one should not use Base64 for input sanitation? Is it considered bad practice? I also have a sense that all the filtering of user data to ensure proper safety could have been easier to achieve if the problem was handled by mysql rather then relying on the individual programmer to ensure that the data is safe... For example by using individual functions rather than a query based string, so that the command and user input remains separate throughout the call...

Like: mysql_query("SELECT * FROM Users WHERE username=","$userinput");

或者可以使用编码:

$input = encode($_POST['UserInput']);
mysql_query("SELECT * FROM Users WHERE username='$input'");

推荐答案

请勿输入清理" 作为防止SQL注入的一种方法⁽¹⁾- 使用占位符(或适当的转义)，总是.始终如一.注意安全.问题已经解决.

Don't "sanitize" input as a means to prevent SQL Injection⁽¹⁾ - use placeholders (or proper escaping), always. Be consistent. Be safe. The problem is already solved.

由于，这种情况将是安全的" www.php.net//manual/en/function.base64-encode.php"rel =" nofollow noreferrer> base64_encode 函数. 但是..

除了用户可读性之外，还有什么理由不应该使用Base64进行输入卫生吗?这被认为是不良做法吗?

Is there any reason besides user readability that one should not use Base64 for input sanitation? Is it considered bad practice?

这是错误的做法，并且存储base64编码的值(以使显示的查询可以运行 ² )带有一些负含义， 更改存储的信息:它破坏值的顺序，使信息不可轻易搜索，需要其他 >编码/解码"步骤，甚至消耗更多空间-哎呀！

It is bad practice and storing base64-encoded values (such that the shown query may work²) carries several negative implications as it changes the information stored: it destroys the ordering of values, makes the information not trivially-searchable, requires an additional "encode/decode" step, and even consumes more space - ouch!

因此，尽管在某些情况下可能会对base64编码数据进行处理，但 这种方法不太适合作为缓解

Thus, while there may be specific cases to base64-encode data, this approach is not well-suited as a means to mitigate SQL Injection.

..如果问题是由mysql处理，而不是依靠单个程序员来确保数据是安全的，则可以更轻松地实现适当的安全性.

.. proper safety could have been easier to achieve if the problem was handled by mysql rather then relying on the individual programmer to ensure that the data is safe..

问题是由于通过文本协议访问SQL所致，其中查询命令/形状和值混合在一起.使用正确转义技术(例如

The problem is due to accessing SQL via a text protocol where the query command/shape and values are intermixed. The use of correct escaping techniques (e.g. mysql_real_escape_string) fixes this by ensuring that the information is escaped so that the SQL text is parsed as intended - however, unlike a base64-encode step it does not actually change the information supplied!

例如通过使用单个函数而不是基于查询的字符串，以便在整个调用过程中命令和用户输入保持独立...

For example by using individual functions rather than a query based string, so that the command and user input remains separate throughout the call...

正是占位符提供了什么！占位符是 the 普遍正确的方法，应予以鼓励.占位符允许将查询和值发送到当库/数据库支持时，数据库分别 ；并以其他方式转义来模拟.正确使用占位符消除了 SQL注入，消除了用户代码将值混入SQL命令文本的需求，这也使查询的编写和维护更加容易.

This is exactly what placeholders provide! Placeholders are the universally correct approach and should be encouraged. Placeholders allow the query and values to be sent to the database separately when supported by the library/database; and are emulated by escaping otherwise. Correct placeholder usage eliminates SQL Injection and the need for user code to intermix values into SQL command text, which can also make queries easier to write and maintain.

为防止单个程序员"编写糟糕的查询，解决方案是防止临时查询分散在代码中:将数据访问操作收集到

To prevent "individual programmers" from writing terrible queries, the solution is to prevent ad-hoc queries from being scattered around in code: collect the data-access operations into a Data Access Layer (DAL) (possibly in conjunction with an ORM) and only expose relevant actions, ensuring proper use of SQL within the DAL. In simpler projects the DAL is also a suitable location to centrally manage the business rules for sanitation¹ and other validation logic.

¹ 更准确:

¹ More accurately:

业务规则的

• 消毒值；这样可以防止错误信息"，例如用户名太短，包含受限制的字符或以其他方式不能满足业务要求.

• Sanitize values for business rules; this should prevent "bad information", such as a username that is too short, contains restricted characters, or otherwise fails to meet business requirements.

使用占位符防止 SQL注入. 严格与将数据传输到SQL有关，并且与其中的信息无关.

Use placeholders to prevent SQL Injection. This is strictly related to transfering the data to SQL and has no bearing on the information therein.

² 在MySQL 5.6.1中添加

² While MySQL 5.6.1 adds FROM_BASE64, such that the encoding might simply be used in the SQL command text, this still adds an additional explicit decode step and complicates the query when using such an encoding scheme. This base64 approach is simply not necessary, as there are already proven techniques to prevent SQL injection, and was not proposed in the initial question.

这篇关于Base64作为清理Mysql用户输入的方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！