Codeigniter - 清理输入的最佳实践 [英] Codeigniter - best practice to sanitize input
问题描述
我想知道使用Codeigniter清理用户输入的最佳做法是什么。
我明白CI提供form_validation,例如set_rules。
'set_rules'=>'trim | xss_clean | alpha_numeric | htmlspecialchars'
任何接受一个参数的本地PHP函数都可以用作
规则,如htmlspecialchars,trim, MD5等
我的问题是,
足以保护我们免受xss,sql注入攻击等等。
还有什么其他规则可以应用吗?
我理解MD5是一个哈希函数,但是如果你将MD5设置为规则的一部分?
上面我已经添加了javascript验证。我在正确的轨道上消毒输入和验证用户输入?请求建议。
清理只是通过各种过滤器运行您的输入。
清理你的输入是不会污染你的应用程序与你不想要的用户数据。
但是,最大的问题是,你不想要什么?
第一个例子
您创建了一个页面,允许用户发送短信。您预期的输入将是电话号码和短信。
查看 Rule reference in the manual,我可能会去这些规则:
numeric | exact_length [8]
这些规则是为了确保输入是nummeric和输入匹配的长度我的地区的phonenumbers。由于我已经验证输入是nummeric,我可以假设XSS和SQL注入尝试应该失败(因为这些攻击包含非数字字符)。
对于文本消息字段,我将使用修剪和必需: trim | required ,因为我不发送空消息。
第二个例子
允许用户发表评论,是允许用户垃圾网站或插入恶意代码的好方法。
基本上,您不知道的是姓名,电子邮件和评论。
需要。电子邮件需要验证。但是注释和名称需要对XSS和空格/换行符进行一些清理。
我使用sanitazion的验证看起来像这样:
$ this-> form_validation-> set_rules('name','Name','required | trim | xss_clean');
$ this-> form_validation-> set_rules('email','Email','required | trim | valid_email');
$ this-> form_validation-> set_rules('comment','Comment','required | trim | xss_clean');
清理你必须的东西 - 不是你能做的 - 做你需要的sanitaziton。 >
确保将数据插入到后端以使用 Active Record / Query Builder ,以正确转义您的输入,或者您正在使用查询绑定为你。
I would like to know what's the best practice to sanitize user input using Codeigniter.
I understands that CI offers form_validation, such as set_rules.
'set_rules'=>'trim|xss_clean|alpha_numeric|htmlspecialchars'
"Any native PHP function that accepts one parameter can be used as a rule, like htmlspecialchars, trim, MD5, etc."
My question now is,
is this enough to protect us from xss, sql injection attacks etc?
what other rules are there that I can apply?
in term of performance, is it costly for us to apply all these rules for all the inputs?
I understand MD5 is a hash funciton, but what happens if you set MD5 as part of the rule?
above that I've added javascript validation as well. Am I on the right track on sanitizing inputs and validating user inputs? Please advice.
Sanitizing is more that just running your input through all sorts of filters.
Sanitizing your input is about not polluting your application with user data you don't want.
The big question, though, what is it you don't want?
First example
You've made a page, allowing a user to send a text message. Your expected input would be a phone number and a text message.
Looking at the Rule reference in the manual, I would probably go for these rules:
numeric|exact_length[8]
These rules as I would like to make sure that the input is nummeric and that the input matches the length of phonenumbers in my region. Since I already validate that the input is nummeric, I can assume that XSS and SQL injection attempts should fail (as these attacks contain non-nummeric characters).
For the text message field, I would use trim and required: trim|required as I don't wan't an empty message sent.
Second example
Allowing users to comment, is a good way to allow users to spam your site or inject malicious code.
Basically, what you wan't is a name, an email and the comment.
All input needs to be required. The e-mail needs to validate. But the comment and name needs to have some cleaning of XSS and overhead spaces/line feeds.
My validation with sanitazion would look like this:
$this->form_validation->set_rules('name', 'Name', 'required|trim|xss_clean');
$this->form_validation->set_rules('email', 'Email', 'required|trim|valid_email');
$this->form_validation->set_rules('comment', 'Comment', 'required|trim|xss_clean');
Sanitize what you must - not what you can - and do the sanitaziton for what you need.
Make sure, when you insert the data to your backend to use the Active Record/Query Builder for escaping your input correctly or that your are using Query Bindings which does the same for you.
这篇关于Codeigniter - 清理输入的最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
