PHP XSS 问题/澄清 [英] PHP XSS Question / Clarification
问题描述
之前有人问过这个问题,但我需要 100% 澄清这个问题,因为这对我来说很重要.
This has been asked before but I need 100% clarity on this issue as it's very important for me to get it right.
情况:网站上的消息系统.用户在文本框中输入一条消息,他们提交表单并将其输入到数据库中.然后可以从数据库中调用这些数据,并在 标签中显示给另一个用户.
The situation: A message system on a website. The user enters a message into a text-box, they submit the form and it gets entered to the database. This data can then be called from the database and displayed within <span>tags to another user.
我需要采取哪些安全措施来防止这些数据被恶意使用?我已经使用 mysql_real_escape_string 来停止任何注入,而 strip_tags 似乎很有用,但我听说过很多其他的名字.考虑到这些数据仅显示在 标签中,我需要使用什么来保护这些数据?
What security procedures do I need to take to prevent this data from being malicious? I already use the mysql_real_escape_string to stop any injection and strip_tags seems useful but I have heard lots of other names mentioned. What do I need to use to protect this data considering it is only displayed in <span> tags?
谢谢.
推荐答案
误解是你想转义输入,这是错误的.您必须过滤输出(数据库也是输出).
The misconception is that you want to escape the input, which is wrong. You have to filter the output (and database is also an output).
表示提交表单时,使用mysql_real_escape_string()发送(输出)数据到数据库,使用htmlspecialchars()输出内容屏幕上.相同的原则适用于正则表达式,您将在其中使用 preg_quote(),等等.
It means that when the form is submitted, you use mysql_real_escape_string() to send (output) data to database, and you use htmlspecialchars() to output the content on the screen. The same principle applies to regular expressions, where you'd use preg_quote(), and so on.
无论数据来自何处,您都必须在将其发送到何处的上下文中对其进行转义.
No matter where data is coming from, you have to escape it in the context of where you are sending it to.
所以为了防止 XSS 攻击,你必须使用 htmlspecialchars()/htmlentities().mysql_real_escape_string 和 XSS 没有任何关系(但是你在向数据库发送数据的时候还是要使用它)
So for preventing XSS attacks, you must use htmlspecialchars() / htmlentities(). mysql_real_escape_string has nothing to do with XSS (but you still have to use it when you are sending data to the database).
这篇关于PHP XSS 问题/澄清的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
