什么是最好的 PHP 输入清理功能? [英] What are the best PHP input sanitizing functions?

问题描述

我试图想出一个函数，我可以通过我的所有字符串进行消毒.这样从它出来的字符串对于数据库插入来说是安全的.但是有太多过滤功能，我不确定我应该使用/需要哪些.

I am trying to come up with a function that I can pass all my strings through to sanitize. So that the string that comes out of it will be safe for database insertion. But there are so many filtering functions out there I am not sure which ones I should use/need.

请帮我填空:

function filterThis($string) {
    $string = mysql_real_escape_string($string);
    $string = htmlentities($string);
    etc...
    return $string;
}

推荐答案

停止！

你在这里犯了一个错误.哦，不，您已经选择了正确的 PHP 函数来使您的数据更安全一些.没关系.您的错误在于操作顺序，以及如何以及在何处使用这些功能.

Stop!

You're making a mistake here. Oh, no, you've picked the right PHP functions to make your data a bit safer. That's fine. Your mistake is in the order of operations, and how and where to use these functions.

了解清理和验证用户数据、转义存储数据和转义数据之间的区别很重要.

It's important to understand the difference between sanitizing and validating user data, escaping data for storage, and escaping data for presentation.

当用户提交数据时，您需要确保他们提供了您期望的内容.

When users submit data, you need to make sure that they've provided something you expect.

例如，如果您需要一个数字，确保提交的数据是一个数字.您还可以将用户数据转换为其他类型.提交的所有内容最初都被视为字符串，因此将已知数字数据强制转换为整数或浮点数可以快速轻松地进行清理.

For example, if you expect a number, make sure the submitted data is a number. You can also cast user data into other types. Everything submitted is initially treated like a string, so forcing known-numeric data into being an integer or float makes sanitization fast and painless.

自由格式的文本字段和文本区域呢?您需要确保在这些领域没有任何意外.主要是，您需要确保不应包含任何 HTML 内容的字段实际上不包含 HTML.有两种方法可以解决这个问题.

What about free-form text fields and textareas? You need to make sure that there's nothing unexpected in those fields. Mainly, you need to make sure that fields that should not have any HTML content do not actually contain HTML. There are two ways you can deal with this problem.

首先，您可以尝试使用 htmlspecialchars转义 HTML 输入一>.您不应该使用 htmlentities 来中和 HTML，因为它还会执行重音和它认为也需要编码的其他字符.

First, you can try escaping HTML input with htmlspecialchars. You should not use htmlentities to neutralize HTML, as it will also perform encoding of accented and other characters that it thinks also need to be encoded.

其次，您可以尝试删除任何可能的 HTML.strip_tags 既快速又简单，但也很草率.HTML Purifier 在去除所有 HTML 和允许标签和属性的选择性白名单通过方面做得更彻底.

Second, you can try removing any possible HTML. strip_tags is quick and easy, but also sloppy. HTML Purifier does a much more thorough job of both stripping out all HTML and also allowing a selective whitelist of tags and attributes through.

现代 PHP 版本附带过滤器扩展，它提供了一种全面的方式来清理用户输入.

Modern PHP versions ship with the filter extension, which provides a comprehensive way to sanitize user input.

确保提交的数据没有意外内容只是工作的一半.您还需要尝试确保提交的数据包含您可以实际使用的值.

Making sure that submitted data is free from unexpected content is only half of the job. You also need to try and make sure that the data submitted contains values you can actually work with.

如果您需要一个介于 1 和 10 之间的数字，则需要检查该值.如果您使用带有微调器和步骤的那些新的 HTML5 时代数字输入之一，请确保提交的数据与步骤一致.

If you're expecting a number between 1 and 10, you need to check that value. If you're using one of those new fancy HTML5-era numeric inputs with a spinner and steps, make sure that the submitted data is in line with the step.

如果该数据来自下拉菜单，请确保提交的值是出现在菜单中的值.

If that data came from what should be a drop-down menu, make sure that the submitted value is one that appeared in the menu.

满足其他需求的文本输入呢?例如，日期输入应通过 strtotime 或 DateTime 类.给定的日期应该在您期望的范围之间.电子邮件地址呢?前面提到的 filter extension 可以检查地址是否格式正确，尽管我是 is_email 库.

What about text inputs that fulfill other needs? For example, date inputs should be validated through strtotime or the DateTime class. The given date should be between the ranges you expect. What about email addresses? The previously mentioned filter extension can check that an address is well-formed, though I'm a fan of the is_email library.

同样适用于所有其他表单控件.有单选按钮吗?对照列表进行验证.有复选框吗?对照列表进行验证.有文件上传吗?确保文件属于预期类型，并将文件名视为未过滤的用户数据.

The same is true for all other form controls. Have radio buttons? Validate against the list. Have checkboxes? Validate against the list. Have a file upload? Make sure the file is of an expected type, and treat the filename like unfiltered user data.

每个现代浏览器都内置了一套完整的开发人员工具，这使得任何人都可以轻松操作您的表单.您的代码应该假设用户已经完全取消了对表单内容的所有客户端限制！

Every modern browser comes with a complete set of developer tools built right in, which makes it trivial for anyone to manipulate your form. Your code should assume that the user has completely removed all client-side restrictions on form content!

既然您已确保数据采用预期格式并且仅包含预期值，那么您需要担心将数据持久化到存储中.

Now that you've made sure that your data is in the expected format and contains only expected values, you need to worry about persisting that data to storage.

每一种数据存储机制都有一种特定的方式来确保数据被正确地转义和编码.如果您正在构建 SQL，那么在查询中传递数据的公认方式是通过 带占位符的准备好的语句.

Every single data storage mechanism has a specific way to make sure data is properly escaped and encoded. If you're building SQL, then the accepted way to pass data in queries is through prepared statements with placeholders.

在 PHP 中使用大多数 SQL 数据库的更好方法之一是 PDO 扩展.它遵循准备声明的常见模式，绑定变量到语句，然后将语句和变量发送到服务器.如果您之前没有使用过 PDO，这里有一个非常好的面向 MySQL 的教程.

One of the better ways to work with most SQL databases in PHP is the PDO extension. It follows the common pattern of preparing a statement, binding variables to the statement, then sending the statement and variables to the server. If you haven't worked with PDO before here's a pretty good MySQL-oriented tutorial.

某些 SQL 数据库在 PHP 中有自己的专业扩展，包括 SQL Server、PostgreSQL 和 SQLite 3.这些扩展中的每一个都有准备好的语句支持，以与 PDO 相同的准备-绑定-执行方式运行.有时您可能需要使用这些扩展而不是 PDO 来支持非标准功能或行为.

Some SQL databases have their own specialty extensions in PHP, including SQL Server, PostgreSQL and SQLite 3. Each of those extensions has prepared statement support that operates in the same prepare-bind-execute fashion as PDO. Sometimes you may need to use these extensions instead of PDO to support non-standard features or behavior.

MySQL 也有自己的 PHP 扩展.其中两个，事实上.您只想使用名为 mysqli 的那个.旧的mysql"扩展已已弃用，并且在现代中使用不安全或不理智时代.

MySQL also has its own PHP extensions. Two of them, in fact. You only want to ever use the one called mysqli. The old "mysql" extension has been deprecated and is not safe or sane to use in the modern era.

我个人不是 mysqli 的粉丝.它对准备好的语句执行变量绑定的方式不灵活，使用起来可能很麻烦.如有疑问，请改用 PDO.

I'm personally not a fan of mysqli. The way it performs variable binding on prepared statements is inflexible and can be a pain to use. When in doubt, use PDO instead.

如果您不使用 SQL 数据库来存储数据，请查看您使用的数据库接口的文档，以确定如何安全地通过它传递数据.

If you are not using an SQL database to store your data, check the documentation for the database interface you're using to determine how to safely pass data through it.

如果可能，请确保您的数据库以适当的格式存储数据.将数字存储在数字字段中.将日期存储在日期字段中.将钱存储在十进制字段中，而不是浮点字段中.查看您的数据库提供的有关如何正确存储不同数据类型的文档.

When possible, make sure that your database stores your data in an appropriate format. Store numbers in numeric fields. Store dates in date fields. Store money in a decimal field, not a floating point field. Review the documentation provided by your database on how to properly store different data types.

每次向用户显示数据时，都必须确保数据被安全转义，除非您知道不应该转义数据.

Every time you show data to users, you must make sure that the data is safely escaped, unless you know that it shouldn't be escaped.

在发出 HTML 时，您几乎应该总是通过 htmlspecialchars 传递最初由用户提供的任何数据.事实上，只有当您知道用户提供了 HTML，并且您知道已经使用白名单对其进行了清理时，您才不应该这样做.

When emitting HTML, you should almost always pass any data that was originally user-supplied through htmlspecialchars. In fact, the only time you shouldn't do this is when you know that the user provided HTML, and that you know that it's already been sanitized it using a whitelist.

有时您需要使用 PHP 生成一些 Javascript.Javascript 没有与 HTML 相同的转义规则！通过 PHP 向 Javascript 提供用户提供的值的一种安全方法是通过 json_encode.

Sometimes you need to generate some Javascript using PHP. Javascript does not have the same escaping rules as HTML! A safe way to provide user-supplied values to Javascript via PHP is through json_encode.

数据验证还有很多细微差别.

There are many more nuances to data validation.

例如，字符集编码可能是一个巨大的陷阱.您的应用程序应始终遵循UTF-8"中概述的做法.当您将字符串数据视为错误的字符集时，可能会发生假设性攻击.

For example, character set encoding can be a huge trap. Your application should follow the practices outlined in "UTF-8 all the way through". There are hypothetical attacks that can occur when you treat string data as the wrong character set.

之前我提到了浏览器调试工具.这些工具还可用于操作 cookie 数据.Cookie 应被视为不受信任的用户输入.

Earlier I mentioned browser debug tools. These tools can also be used to manipulate cookie data. Cookies should be treated as untrusted user input.

数据验证和转义只是 Web 应用程序安全的一方面.您应该让自己了解网络应用程序攻击方法，以便您可以针对

Data validation and escaping are only one aspect of web application security. You should make yourself aware of web application attack methodologies so that you can build defenses against them.

这篇关于什么是最好的 PHP 输入清理功能?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！