XSS 的 SQL 预防 [英] SQL preventation of XSS
问题描述
嘿伙计们,我有一个问题,在将数据插入 SQL 时我可以使用什么来防止 XSS?而不是在阅读时.
Hey guys so Ive got a question, is there a something I could use when inserting data into the SQL to prevent XSS? Instead of when reading it.
例如,我的 sql 中有相当多的输出是用户生成的,是否可以在输入 SQL 时使其安全,或者在离开 SQL 时是否必须使其安全?
For example I have quite bit of outputs from my sql that are user generated, is it possible to just make that safe on Entering SQL or do I have to make it safe when it leaves SQL?
TL:DR 我可以在向 SQL 中插入数据时使用 htmlspecialchars 之类的东西来防止 XSS,这会是一种很好的保护吗?
TL:DR can I use something like htmlspecialchars when inserting data into SQL to prevent XSS, will that be any sort of good protection?
推荐答案
我认为这个问题有几个问题.
I think several things are mixed up in the question.
一般来说你不能通过输入验证来防止 XSS,除非非常特殊的情况,当你可以验证像数字一样严格的输入时.
In general you can't prevent XSS with input validation, except very special cases when you can validate input for something verz strict like numbers only.
考虑这个 html 页面(假设 <?= 用于在服务器端语言中将数据插入到 html 中,因为您暗示了 PHP,当然可能因使用的语言而异):
Consider this html page (let's imagine <?= is used to insert data into your html in your server-side language because you hinted at PHP, could of course differ by language used):
<script>
var myVar = <?= var1 ?>;
</script>
在这种情况下,服务器上的var1不需要任何特殊字符,只需要字母就足以注入javascript.这对攻击者是否有用取决于几个方面,但从技术上讲,几乎所有输入验证都容易受到 XSS 攻击.当然,这样的分配目前可能不在您的 Javascript 中,但您如何确保永远不会有?
In this case, var1 on the server doesn't need to have any special character, only letters are enough to inject javascript. Whether that can be useful for an attacker depends on several things, but technically, this would be vulnerable to XSS with almost any input validation. Of course such assignment may not currently be in your Javascript, but how will you ensure that there never will be?
另一个例子显然是 DOM XSS,其中输入永远不会到达服务器,但这是另一回事.
Another example is obviously DOM XSS, where input does not ever get to the server, but that's a different story.
防止 XSS 是一种输出编码的东西.输入验证在某些情况下可能会有所帮助,但在大多数情况下无法提供足够的保护.
Preventing XSS is an output encoding thing. Input validation may help in some cases, but will not provide sufficient protection in most cases.
通常将 html 编码的值存储在数据库中通常不是一个好主意.一方面,它使搜索、订购和任何类型的处理变得更加繁琐.另一方面,它违反了单一职责和关注点分离.编码是视图级别的事情,您的后端数据库与您希望如何呈现该数据无关.当您考虑不同的编码时,这一点更加突出.HTML 编码仅适用于将数据写入 HTML 上下文的情况.如果它是 javascript(在脚本标签中,或在 on* 属性中,如 onclick,或其他几个地方),html 编码是不够的,更不用说你有更多特殊输出的地方了.您的数据库不需要知道数据将在哪里使用,它是一个输出,因此应该由视图处理.
It is generally not a good idea to store values html-encoded in your database. On the one hand, it makes searching, ordering, any kind of processing much more cumbersome. On the other hand, it violates single responsibility and separation of concerns. Encoding is a view-level thing, your backend database has nothing to do with how you will want to present that data. It's even more emphasized when you consider different encodings. HTML encoding is only ok if you want to write the data into an HTML context. If it's javascript (in a script tag, or in an on* attribute like onclick, or several other places), html encoding is not sufficient, let alone where you have more special outputs. Your database doesn't need to know, where the data will be used, it's an output thing, and as such, it should be handled by views.
这篇关于XSS 的 SQL 预防的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
