SQL注入和Codeigniter [英] SQL Injection and Codeigniter
问题描述
有关Codeigniter及其输入处理功能的一些疑问。
Some doubts regarding Codeigniter and its Input handling capabilities. Some may be a little weird but they are doubts none-the-less.
- 如果我使用活动记录 CodeIgniter中的类函数是防止SQL注入的输入?
- 我在某处读到了,但我不明白怎么样?或为什么?
- xssclean也以任何方式处理SQL注入?
- If I use the Active Record Class functions in CodeIgniter, is my input prevented against SQL injection?
- I read somewhere that it does, but I don't understand it how? or why?
- Also does xssclean deal with SQL injection in any way?
推荐答案
是我防止SQL注入的输入?
is my input prevented against SQL injection?
',但它提供参数化查询。
Not exactly ‘automatically’, but it does provide parameterised queries. CodeIgniter or no, you should use parameterised queries in preference to query string hacking whenever possible.
$bof= "a'b";
$zot= 'a\b';
// Insecure! Don't do this!
//
$this->db->query("SELECT foo FROM bar WHERE bof='$bof' AND zot='$zot'");
// Secure but annoying to write
//
$this->db->query("SELECT foo FROM bar WHERE bof='".$this->db->escape($bof)."' AND zot='".$this->db->escape($zot)."'");
// This is what you want
//
$this->db->query('SELECT foo FROM bar WHERE bof=? AND zot=?', array($bof, $zot));
注意这与'input'无关:当你从字符串进行SQL查询时, em>必须使用参数化或转义来使它们适合,而不管它们是否是用户输入。这是一个简单的正确性问题;
Note this is nothing to do with ‘input’: when you make an SQL query from strings you must use parameterisation or escaping to make them fit, regardless of whether they're user input or not. This is a matter of simple correctness; security is a side-effect of that correctness.
同样,当您将文本输出到HTML时,您需要对< ,& 和没有使用试图解开输入转义或删除可能会在以后的麻烦,如果你碰巧使用它们没有在SQL或HTML中转义的字符,你会通过在HTML中意外的SQL转义(这是为什么你在错误的应用程序中看到自己的反斜杠)和不必要的HTML转义在SQL中。如果你从除了直接用户输入(例如,数据库中已经存在的材料)之外的其他地方,你不受保护。
Similarly when you output text into HTML, you need to HTML-encode <, & and " characters in it then. It is absolutely no use trying to fiddle with the input to escape or remove characters that might be troublesome in the future if you happen to use them without escaping in SQL or HTML. You'll mangle your output by having unexpected SQL-escaping in HTML (which is why you see self-multiplying backslashes in badly-written apps) and unwanted HTML-escaping in SQL. And should you take text from somewhere other than that direct user input (say, material already in the database) you aren't protected at all.
xssclean也以任何方式处理SQL注入?
Also does xssclean deal with SQL injection in any way?
不,它的目的是HTML注入,但它比无价值更糟糕。从不使用它。
No. It's aimed at HTML injection. But it's worse than worthless. Never use it.
完全是假的(再次,CodeIgniter的或任何人的)。 XSS需要通过正确的HTML转义输出来防止,而不是欺骗输入。 XSS过滤将不会充分保护您,如果您的应用程序不是安全的;至少它会模糊你现有的缺陷,给你一种假的安全感。它还会剔除很多CI认为看起来像标签的有效输入。
"XSS filtering" is completely bogus (again, CodeIgniter's or anyone else's). XSS needs to be prevented by correctly HTML-escaping output, not mangling input. XSS filtering will not adequately protect you if your application is not already secure; at best it will obfuscate your existing flaws and give you a false sense of security. It will also mangle a lot of valid input that CI thinks looks like tags.
这篇关于SQL注入和Codeigniter的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
