什么时候清理用户输入最好? [英] When is it best to sanitize user input?
问题描述
用户等于不可信.永远不要相信不可信用户的输入.我明白了.但是,我想知道何时清理输入的最佳时间是.例如,您是盲目地存储用户输入,然后在访问/使用时对其进行清理,还是立即清理输入,然后存储此已清理"版本?除了这些之外,也许还有其他一些我没有想到的方法.我更倾向于第一种方法,因为任何来自用户输入的数据仍然必须谨慎处理,清理"的数据可能仍然在不知不觉中或意外地危险.无论哪种方式,人们认为哪种方法最好,原因是什么?
User equals untrustworthy. Never trust untrustworthy user's input. I get that. However, I am wondering when the best time to sanitize input is. For example, do you blindly store user input and then sanitize it whenever it is accessed/used, or do you sanitize the input immediately and then store this "cleaned" version? Maybe there are also some other approaches I haven't though of in addition to these. I am leaning more towards the first method, because any data that came from user input must still be approached cautiously, where the "cleaned" data might still unknowingly or accidentally be dangerous. Either way, what method do people think is best, and for what reasons?
推荐答案
我喜欢尽早清理它,这意味着清理发生在用户尝试输入无效数据时.如果有适合他们年龄的文本框,并且他们输入了数字以外的任何内容,我不会让按键通过该字母.
I like to sanitize it as early as possible, which means the sanitizing happens when the user tries to enter in invalid data. If there's a TextBox for their age, and they type in anything other that a number, I don't let the keypress for the letter go through.
然后,无论读取数据的是什么(通常是服务器),我都会在读取数据时进行完整性检查,以确保不会由于更坚定的用户(例如手动编辑文件,或甚至修改数据包!)
Then, whatever is reading the data (often a server) I do a sanity check when I read in the data, just to make sure that nothing slips in due to a more determined user (such as hand-editing files, or even modifying packets!)
总体而言,请尽早清理,并在您看不到数据一秒钟时清理(例如,文件保存 -> 文件打开)
Overall, sanitize early and sanitize any time you've lost sight of the data for even a second (e.g. File Save -> File Open)
这篇关于什么时候清理用户输入最好?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
