如何使 $_POST 更安全? [英] How to make $_POST more secured?

问题描述

这是我从 Facebook 工程页面获得的示例代码.

This is a sample code that i got from Facebook Engineering page.

<?php
if ($_POST['name']) {
?>
    <span>Hello, <?=$_POST['name']?>.</span>
<?php 
} else {
?>
<form method="post">
What is your name?<br>
<input type="text" name="name">
<input type="submit">
</form>
<?php
}

它说上面的代码不安全，因为它对跨站点脚本开放.正确的方法是通过 htmlspecialchars() 传递 $_POST['name'].但是，他们表示这是糟糕的编程实践.

It says that the above code is not secured because it is open to cross site scripting. the correct way is to pass the $_POST['name'] via htmlspecialchars(). However, they stated that it is poor programming practice.

总是通过 htmlspecialchars() 传递 $_POST 变量效率低下吗?

Is always passing $_POST variable via a htmlspecialchars() inefficient?

我想不出任何方法来确保它的安全.他们介绍了我不愿意使用的 XHP.

I can't thought of any way to make it secure. They introduce XHP which i am reluctant to use.

参考:https://www.facebook.com/notes/facebook-engineering/xhp-a-new-way-to-write-php/294003943919

推荐答案

正确的方法是通过 htmlspecialchars() 传递 $_POST['name'].但是，他们表示这是糟糕的编程实践.

the correct way is to pass the $_POST['name'] via htmlspecialchars(). However, they stated that it is poor programming practice.

这本身并不是一种糟糕的做法.问题是，当您每次将文本内容放入 HTML 时都必须键入 htmlspecialchars 时，您很可能会忘记一个，从而留下一个漏洞.

It's not poor practice in itself. The problem is that when you have to type htmlspecialchars every single time you drop text content into HTML, you are quite likely to forget one, leaving a vulnerability.

那个页面说的是，正确的是，最好拥有一种模板语言，默认情况下转义 HTML，这样您就不必考虑它了.这是大多数 Web 框架目前已经吸取的教训，但原始 PHP 仍然没有方便的方法来做到这一点.

What that page is saying, correctly, is that it's better to have a templating language that HTML-escapes by default, so that you don't have to think about it. This is a lesson most web frameworks have learned by now, but raw PHP still doesn't have a convenient way to do that.

这篇关于如何使 $_POST 更安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！