在哪里清理PHP $ _POST []输入? [英] Where to sanitize PHP $_POST[] input?
问题描述
我使用codeigniter框架。
我应该在哪里清理PHP输入 - 控制器或模型?
我曾经是一个朋友尽可能集中卫生,但广泛讨论SO( 例如此处 )改变了我的想法。非常值得阅读。
我向你提交以下做法:
在中央验证程序中,do没有卫生或只是粗糙检查(例如,对于数据类型)和大小($ _POST [category_name]不应该大于200字节。)
将传入变量标记为不安全(例如 $ unsafe_id = $ _POST [category_name]; )。将它们存储在您可以使用的任何控制器/类/构造中。
清理数据使用位置。如果在 exec 调用中使用传入数据,请在调用前直接执行必要的卫生处理:
$ safe_category_name = escapeshellargs($ unsafe_category_name);
exec(external_binary -category_name'$ safe_category_name');
如果相同的数据然后用于,例如mySQL查询,再次清理它调用:
$ safe_category_name = mysql_real_escape_string($ unsafe_category_name);
mysql_query(SELECT * FROM items WHERE category_name ='$ safe_category_name');
(这只是一个例子,如果从头开始一个项目,你将使用PDO和准备的语句,这消除了在此上下文中转义传入数据的麻烦。)
如果相同的数据然后在网页中输出,再次直接在卫生前面的调用:
$ safe_category_name = htmlspecialchars($ unsafe_category_name);
echo< span> $ safe_category_name< / span>;
这种做法
-
建立一个工作流程,假设有不安全的变量需要首先处理,这导致更安全的编程风格IMO。
单击方法使输入安全。没有。卫生取决于上下文的100%。
I am using codeigniter framework.
where should i sanitize PHP input - controller or model ?
I used to be a friend of centralizing sanitation as much as possible, but extensive discussion on SO (for example here) has changed my mind. Definitely worth a read.
I submit to you the following practice:
In a central validation routine, do no sanitation, or just "rough" checks (say, for data type) and size ("$_POST["category_name"] should not be larger than 200 bytes.")
Mark incoming variables as unsafe (e.g. $unsafe_id = $_POST["category_name"];). Store them in whatever controller / class / construct you have available for it.
Sanitize data where it is used. If incoming data is used in a exec call for example, do the necessary sanitation directly in front of the call:
$safe_category_name = escapeshellargs($unsafe_category_name);
exec("external_binary -category_name '$safe_category_name'");
if the same data is then used in a, say, mySQL query, again sanitize it in front of the call:
$safe_category_name = mysql_real_escape_string ($unsafe_category_name);
mysql_query("SELECT * FROM items WHERE category_name = '$safe_category_name'");
(this is just an example. If starting a project from scratch, you will want to use PDO and prepared statements, which takes away the hassle of escaping incoming data in this context.)
if the same data is then output in a web page, again do the sanitation directly in front of the call:
$safe_category_name = htmlspecialchars($unsafe_category_name);
echo "<span>$safe_category_name</span>";
This practice
Establishes a workflow that assumes there are unsafe variables that need to be dealt with first, which leads to a safer programming style IMO.
Prevents unnecessary conversions.
Helps fight the illusion that there is a one-click method to make input "safe." There isn't. Sanitation depends 100% on context.
这篇关于在哪里清理PHP $ _POST []输入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
